Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
AIOHTTP Server Crash from Malicious Compressed File
DEBIAN-CVE-2025-69223
Summary
The AIOHTTP server may crash if it receives a specially crafted compressed file. This could happen when a malicious file is sent to the server, causing it to run out of memory and become unresponsive. Update to AIOHTTP version 3.13.3 or later to fix this issue.
What to do
- Update debian python-aiohttp to version 3.11.16-1+deb13u1.
- Update debian python-aiohttp to version 3.13.3-1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | python-aiohttp | All versions |
| Debian:12 | debian | python-aiohttp | All versions |
| Debian:13 | debian | python-aiohttp |
< 3.11.16-1+deb13u1 Fix: upgrade to 3.11.16-1+deb13u1
|
| Debian:14 | debian | python-aiohttp |
< 3.13.3-1 Fix: upgrade to 3.13.3-1
|
Original title
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be...
Original description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
osv CVSS3.1
7.5
- https://security-tracker.debian.org/tracker/CVE-2025-69223 Vendor Advisory
Published: 5 Jan 2026 · Updated: 1 May 2026 · First seen: 1 May 2026