2427255 – (CVE-2025-69230) CVE-2025-69230 aiohttp: aiohttp: Denial of Service via specially crafted invalid cookies

Bug 2427255 (CVE-2025-69230) - CVE-2025-69230 aiohttp: aiohttp: Denial of Service via specially crafted invalid cookies

Summary: CVE-2025-69230 aiohttp: aiohttp: Denial of Service via specially crafted inva...

Keywords:
Status:	NEW
Alias:	CVE-2025-69230
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-06 00:01 UTC by OSIDB Bzimport
Modified:	2026-01-13 10:18 UTC (History)
CC List:	75 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-06 00:01:37 UTC

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is fixed in 3.13.3.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
alinfoot
anpicker
anthomas
bbrownin
bdettelb
bparees
carogers
caswilli
dfreiber
doconnor
drow
dtrifiro
dymurray
ehelms
erezende
ggainey
haoli
hasun
hkataria
ibolton
jajackso
jburrell
jcammara
jdobes
jfula
jkoehler
jmatthew
jmitchel
jmontleo
jneedle
jowilson
jsamir
juwatts
jwong
kaycoth
kegrant
koliveir
kshier
lphiri
mabashia
mhulan
nmoumoul
nyancey
omaciel
ometelka
orabin
osousa
pakotvan
pbohmill
pbraun
pcreech
pgaikwad
ptisnovs
rbryant
rchan
rjohnson
shvarugh
simaishi
slucidi
smallamp
smcdonal
sseago
stcannon
sthirugn
syedriko
teagle
tfister
thavo
tmalecek
ttakamiy
vkumar
weaton
xdharmai
yguenane