2427456 – (CVE-2025-69223) CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

Bug 2427456 (CVE-2025-69223) - CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

Summary: CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vuln...

Keywords:
Status:	NEW
Alias:	CVE-2025-69223
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-06 20:02 UTC by OSIDB Bzimport
Modified:	2026-01-07 00:20 UTC (History)
CC List:	74 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-06 20:02:24 UTC

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
alinfoot
anpicker
anthomas
bbrownin
bdettelb
bparees
carogers
caswilli
dfreiber
doconnor
drow
dtrifiro
dymurray
ehelms
erezende
ggainey
haoli
hasun
hkataria
ibolton
jajackso
jburrell
jcammara
jdobes
jfula
jkoehler
jmatthew
jmitchel
jmontleo
jneedle
jowilson
jsamir
juwatts
jwong
kaycoth
kegrant
koliveir
kshier
lphiri
mabashia
mhulan
nmoumoul
nyancey
omaciel
ometelka
orabin
osousa
pakotvan
pbraun
pcreech
pgaikwad
ptisnovs
rbryant
rchan
rjohnson
shvarugh
simaishi
slucidi
smallamp
smcdonal
sseago
stcannon
sthirugn
syedriko
teagle
tfister
thavo
tmalecek
ttakamiy
vkumar
weaton
xdharmai
yguenane