CVE-2025-69223
Modified Modified - Updated After Analysis

Zip Bomb DoS Vulnerability in AIOHTTP Server

Vulnerability report for CVE-2025-69223, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-05

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-05
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-01-06
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
aiohttp aiohttp to 3.13.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in AIOHTTP versions 3.13.2 and below allows an attacker to send a specially crafted compressed request (a zip bomb) that, when decompressed by the server, can exhaust the host's memory, leading to a denial of service (DoS).

Impact Analysis

The vulnerability can cause a denial of service by exhausting the server's memory resources, potentially making the AIOHTTP server unavailable or unstable.

Mitigation Strategies

Upgrade AIOHTTP to version 3.13.3 or later, as this version contains the fix for the zip bomb DoS vulnerability. Avoid processing compressed requests from untrusted sources until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart