Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sjws-ddnq-fke2
Vulnerability ID VCID-sjws-ddnq-fke2
Aliases CVE-2025-69223
GHSA-6mq8-rvhq-8wgg
Summary AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb ### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
epss 0.00063 https://api.first.org/data/v1/epss?cve=CVE-2025-69223
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-6mq8-rvhq-8wgg
cvssv3.1 7.5 https://github.com/aio-libs/aiohttp
generic_textual HIGH https://github.com/aio-libs/aiohttp
cvssv3.1 7.5 https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
generic_textual HIGH https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
ssvc Track https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
cvssv3.1 7.5 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
cvssv3.1_qr HIGH https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
generic_textual HIGH https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
ssvc Track https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-69223
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-69223
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json
https://api.first.org/data/v1/epss?cve=CVE-2025-69223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69223
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/aio-libs/aiohttp
https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
https://nvd.nist.gov/vuln/detail/CVE-2025-69223
2427456 https://bugzilla.redhat.com/show_bug.cgi?id=2427456
GHSA-6mq8-rvhq-8wgg https://github.com/advisories/GHSA-6mq8-rvhq-8wgg
RHSA-2026:10184 https://access.redhat.com/errata/RHSA-2026:10184
RHSA-2026:1249 https://access.redhat.com/errata/RHSA-2026:1249
RHSA-2026:1497 https://access.redhat.com/errata/RHSA-2026:1497
RHSA-2026:1506 https://access.redhat.com/errata/RHSA-2026:1506
RHSA-2026:1596 https://access.redhat.com/errata/RHSA-2026:1596
RHSA-2026:1599 https://access.redhat.com/errata/RHSA-2026:1599
RHSA-2026:1609 https://access.redhat.com/errata/RHSA-2026:1609
RHSA-2026:2106 https://access.redhat.com/errata/RHSA-2026:2106
RHSA-2026:2695 https://access.redhat.com/errata/RHSA-2026:2695
RHSA-2026:3461 https://access.redhat.com/errata/RHSA-2026:3461
RHSA-2026:3462 https://access.redhat.com/errata/RHSA-2026:3462
RHSA-2026:3713 https://access.redhat.com/errata/RHSA-2026:3713
RHSA-2026:3782 https://access.redhat.com/errata/RHSA-2026:3782
RHSA-2026:3958 https://access.redhat.com/errata/RHSA-2026:3958
RHSA-2026:3959 https://access.redhat.com/errata/RHSA-2026:3959
RHSA-2026:3960 https://access.redhat.com/errata/RHSA-2026:3960
RHSA-2026:6308 https://access.redhat.com/errata/RHSA-2026:6308
RHSA-2026:6309 https://access.redhat.com/errata/RHSA-2026:6309
RHSA-2026:6404 https://access.redhat.com/errata/RHSA-2026:6404
USN-8032-1 https://usn.ubuntu.com/8032-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/aio-libs/aiohttp
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:17Z/ Found at https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:17Z/ Found at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-69223
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.19782
EPSS Score 0.00063
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:52:29.088027+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-6mq8-rvhq-8wgg/GHSA-6mq8-rvhq-8wgg.json 38.0.0