CVE-2025-69224
Request Smuggling Vulnerability in AIOHTTP Python HTTP Parser
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.13.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects AIOHTTP, an asynchronous HTTP client/server framework for Python. Versions 3.13.2 and below of its HTTP parser may allow a request smuggling attack when non-ASCII characters are present. If the pure Python version of AIOHTTP is used (without C extensions) or if AIOHTTP_NO_EXTENSIONS is enabled, an attacker could exploit this to bypass certain firewalls or proxy protections. The issue is fixed in version 3.13.3.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform a request smuggling attack, which may enable them to bypass firewalls or proxy protections. This could lead to unauthorized access or manipulation of HTTP requests, potentially compromising the security of your web applications or services using affected versions of AIOHTTP.
What immediate steps should I take to mitigate this vulnerability?
Upgrade AIOHTTP to version 3.13.3 or later to fix the vulnerability. Additionally, avoid using the pure Python version of AIOHTTP without C extensions or disabling extensions via AIOHTTP_NO_EXTENSIONS, as these configurations increase risk.