2427253 – (CVE-2025-69225) CVE-2025-69225 aiohttp: aiohttp: Request smuggling vulnerability via non-ASCII decimals in Range header

Bug 2427253 (CVE-2025-69225) - CVE-2025-69225 aiohttp: aiohttp: Request smuggling vulnerability via non-ASCII decimals in Range header

Summary: CVE-2025-69225 aiohttp: aiohttp: Request smuggling vulnerability via non-ASCI...

Keywords:
Status:	NEW
Alias:	CVE-2025-69225
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-06 00:01 UTC by OSIDB Bzimport
Modified:	2026-01-13 10:18 UTC (History)
CC List:	75 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-06 00:01:22 UTC

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
alinfoot
anpicker
anthomas
bbrownin
bdettelb
bparees
carogers
caswilli
dfreiber
doconnor
drow
dtrifiro
dymurray
ehelms
erezende
ggainey
haoli
hasun
hkataria
ibolton
jajackso
jburrell
jcammara
jdobes
jfula
jkoehler
jmatthew
jmitchel
jmontleo
jneedle
jowilson
jsamir
juwatts
jwong
kaycoth
kegrant
koliveir
kshier
lphiri
mabashia
mhulan
nmoumoul
nyancey
omaciel
ometelka
orabin
osousa
pakotvan
pbohmill
pbraun
pcreech
pgaikwad
ptisnovs
rbryant
rchan
rjohnson
shvarugh
simaishi
slucidi
smallamp
smcdonal
sseago
stcannon
sthirugn
syedriko
teagle
tfister
thavo
tmalecek
ttakamiy
vkumar
weaton
xdharmai
yguenane