Bug 2427257 (CVE-2025-69229) - CVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handling
Summary: CVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in...
Keywords:
Status: NEW
Alias: CVE-2025-69229
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-06 00:01 UTC by OSIDB Bzimport
Modified: 2026-01-06 07:25 UTC (History)
74 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-06 00:01:46 UTC 
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.
Note You need to log in before you can comment on or make changes to this bug.