Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
python-aiohttp: Prevent Denial of Service and Data Exposure
SUSE-SU-2026:0859-1
Summary
An update for python-aiohttp is available to fix several security issues that could allow attackers to disrupt or crash your website, steal sensitive information, or cause your system to consume excessive resources. This update is recommended to ensure the security and stability of your application. Apply the update as soon as possible to protect your system.
What to do
- Update python-aiohttp to version 3.6.0-150100.3.32.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | python-aiohttp | <= 3.6.0-150100.3.32.1 | 3.6.0-150100.3.32.1 |
| – | python-aiohttp | <= 3.6.0-150100.3.32.1 | 3.6.0-150100.3.32.1 |
| – | python-aiohttp | <= 3.6.0-150100.3.32.1 | 3.6.0-150100.3.32.1 |
| – | python-aiohttp | <= 3.6.0-150100.3.32.1 | 3.6.0-150100.3.32.1 |
Original title
Security update for python-aiohttp
Original description
This update for python-aiohttp fixes the following issues:
- CVE-2025-69228: Fixed denial of service through large payloads (bsc#1256022).
- CVE-2025-69226: Fixed brute-force leak of internal static file path components (bsc#1256020).
- CVE-2025-69224: Fixed unicode processing of header values could cause parsing discrepancies (bsc#1256018).
- CVE-2025-69223: Fixed aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb (bsc#1256017).
- CVE-2025-69227: Fixed DoS when bypassing asserts (bsc#1256021).
- CVE-2025-69225: Fixed unicode match groups in regexes for ASCII protocol elements (bsc#1256019).
- CVE-2025-69229: Fixed DoS through chunked messages (bsc#1256023).
- CVE-2025-69228: Fixed denial of service through large payloads (bsc#1256022).
- CVE-2025-69226: Fixed brute-force leak of internal static file path components (bsc#1256020).
- CVE-2025-69224: Fixed unicode processing of header values could cause parsing discrepancies (bsc#1256018).
- CVE-2025-69223: Fixed aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb (bsc#1256017).
- CVE-2025-69227: Fixed DoS when bypassing asserts (bsc#1256021).
- CVE-2025-69225: Fixed unicode match groups in regexes for ASCII protocol elements (bsc#1256019).
- CVE-2025-69229: Fixed DoS through chunked messages (bsc#1256023).
- https://www.suse.com/support/update/announcement/2026/suse-su-20260859-1/ Vendor Advisory
- https://bugzilla.suse.com/1254867 Third Party Advisory
- https://bugzilla.suse.com/1256017 Third Party Advisory
- https://bugzilla.suse.com/1256018 Third Party Advisory
- https://bugzilla.suse.com/1256019 Third Party Advisory
- https://bugzilla.suse.com/1256020 Third Party Advisory
- https://bugzilla.suse.com/1256021 Third Party Advisory
- https://bugzilla.suse.com/1256022 Third Party Advisory
- https://bugzilla.suse.com/1256023 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2025-69223 URL
- https://www.suse.com/security/cve/CVE-2025-69224 URL
- https://www.suse.com/security/cve/CVE-2025-69225 URL
- https://www.suse.com/security/cve/CVE-2025-69226 URL
- https://www.suse.com/security/cve/CVE-2025-69227 URL
- https://www.suse.com/security/cve/CVE-2025-69228 URL
- https://www.suse.com/security/cve/CVE-2025-69229 URL
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 13 Mar 2026