CVE-2025-69224
Unknown Unknown - Not Provided
Request Smuggling Vulnerability in AIOHTTP Python HTTP Parser

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69224
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aiohttp aiohttp to 3.13.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects AIOHTTP, an asynchronous HTTP client/server framework for Python. Versions 3.13.2 and below of its HTTP parser may allow a request smuggling attack when non-ASCII characters are present. If the pure Python version of AIOHTTP is used (without C extensions) or if AIOHTTP_NO_EXTENSIONS is enabled, an attacker could exploit this to bypass certain firewalls or proxy protections. The issue is fixed in version 3.13.3.

Impact Analysis

The vulnerability can allow an attacker to perform a request smuggling attack, which may enable them to bypass firewalls or proxy protections. This could lead to unauthorized access or manipulation of HTTP requests, potentially compromising the security of your web applications or services using affected versions of AIOHTTP.

Mitigation Strategies

Upgrade AIOHTTP to version 3.13.3 or later to fix the vulnerability. Additionally, avoid using the pure Python version of AIOHTTP without C extensions or disabling extensions via AIOHTTP_NO_EXTENSIONS, as these configurations increase risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart