MEDIUM

GHSA-g84x-mcqj-x9qq

AIOHTTP vulnerable to DoS through chunked messages

Details

### Summary

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

### Impact

If an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.13.3

Fix pip install --upgrade 'aiohttp>=3.13.3'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-69229 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229 [WEB]
https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]