CVE-2025-69225
Request Smuggling Risk in AIOHTTP Range Header Parser
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.13.2 (inc) |
| aiohttp | aiohttp | 3.13.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in aiohttp versions 3.13.2 and below involves the HTTP Range header parser incorrectly allowing non-ASCII decimal digits (such as Unicode digits) in the Range header. This improper parsing could potentially be exploited for HTTP request smuggling attacks. The issue arises because the regular expression used to parse the Range header did not restrict digits to ASCII only. The fix enforces ASCII-only digit matching, rejecting non-ASCII digits and preventing malformed or malicious Range headers from being accepted. [1, 2]
How can this vulnerability impact me? :
While no direct impact has been confirmed, the vulnerability could potentially allow an attacker to exploit HTTP request smuggling by sending Range headers with non-ASCII digits. This could lead to security risks such as bypassing security controls or causing unexpected behavior in HTTP request handling. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring HTTP requests for 'Range' headers containing non-ASCII decimal characters. For example, you can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP traffic and then filter or search for 'Range' headers with unusual characters. A simple command to capture HTTP traffic on port 80 and filter for 'Range' headers might be: tcpdump -A -s 0 'tcp port 80' | grep -i 'Range'. Additionally, inspecting logs or using scripts to parse HTTP headers for non-ASCII digits in the 'Range' header can help identify attempts to exploit this issue. Note that the vulnerability specifically involves non-ASCII digits such as Unicode digits (e.g., Devanagari digit five). [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the aiohttp package to version 3.13.3 or later, where the issue has been fixed by enforcing ASCII-only digit matching in the 'Range' header parser. This update rejects any 'Range' headers containing non-ASCII digits, preventing potential request smuggling attacks. If upgrading is not immediately possible, consider implementing input validation or filtering at the application or network level to block HTTP requests with malformed 'Range' headers containing non-ASCII digits. [1, 2]