MEDIUM

GHSA-jj3x-wxrx-4x23

AIOHTTP vulnerable to DoS when bypassing asserts

Details

### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

### Impact If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message.

------

Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.13.3

Fix pip install --upgrade 'aiohttp>=3.13.3'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-69227 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259 [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]