MEDIUM

GHSA-6jhg-hg63-jvvf

AIOHTTP vulnerable to denial of service through large payloads

Details

### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

### Impact If an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.13.3

Fix pip install --upgrade 'aiohttp>=3.13.3'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-69228 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]