CVE-2025-69225
Unknown Unknown - Not Provided
Request Smuggling Risk in AIOHTTP Range Header Parser

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69225
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aiohttp aiohttp to 3.13.2 (inc)
aiohttp aiohttp 3.13.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in aiohttp versions 3.13.2 and below involves the HTTP Range header parser incorrectly allowing non-ASCII decimal digits (such as Unicode digits) in the Range header. This improper parsing could potentially be exploited for HTTP request smuggling attacks. The issue arises because the regular expression used to parse the Range header did not restrict digits to ASCII only. The fix enforces ASCII-only digit matching, rejecting non-ASCII digits and preventing malformed or malicious Range headers from being accepted. [1, 2]

Impact Analysis

While no direct impact has been confirmed, the vulnerability could potentially allow an attacker to exploit HTTP request smuggling by sending Range headers with non-ASCII digits. This could lead to security risks such as bypassing security controls or causing unexpected behavior in HTTP request handling. [2]

Detection Guidance

You can detect this vulnerability by monitoring HTTP requests for 'Range' headers containing non-ASCII decimal characters. For example, you can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP traffic and then filter or search for 'Range' headers with unusual characters. A simple command to capture HTTP traffic on port 80 and filter for 'Range' headers might be: tcpdump -A -s 0 'tcp port 80' | grep -i 'Range'. Additionally, inspecting logs or using scripts to parse HTTP headers for non-ASCII digits in the 'Range' header can help identify attempts to exploit this issue. Note that the vulnerability specifically involves non-ASCII digits such as Unicode digits (e.g., Devanagari digit five). [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the aiohttp package to version 3.13.3 or later, where the issue has been fixed by enforcing ASCII-only digit matching in the 'Range' header parser. This update rejects any 'Range' headers containing non-ASCII digits, preventing potential request smuggling attacks. If upgrading is not immediately possible, consider implementing input validation or filtering at the application or network level to block HTTP requests with malformed 'Range' headers containing non-ASCII digits. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart