CVE-2025-69223
Zip Bomb DoS Vulnerability in AIOHTTP Server
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.13.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in AIOHTTP versions 3.13.2 and below allows an attacker to send a specially crafted compressed request (a zip bomb) that, when decompressed by the server, can exhaust the host's memory, leading to a denial of service (DoS).
How can this vulnerability impact me? :
The vulnerability can cause a denial of service by exhausting the server's memory resources, potentially making the AIOHTTP server unavailable or unstable.
What immediate steps should I take to mitigate this vulnerability?
Upgrade AIOHTTP to version 3.13.3 or later, as this version contains the fix for the zip bomb DoS vulnerability. Avoid processing compressed requests from untrusted sources until the upgrade is applied.