CVE-2025-69228
Memory Exhaustion Vulnerability in AIOHTTP Request.post() Handler
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aio-libs | aiohttp | to 3.13.2 (inc) |
| aio-libs | aiohttp | 3.13.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in aiohttp versions 3.13.2 and below allows an attacker to craft a specially designed HTTP POST request with multipart form data that causes the server's memory to fill up uncontrollably during processing. The issue occurs because the size limit on multipart form data was not properly enforced across the entire request, allowing excessively large payloads to be processed. This can lead to memory exhaustion and potentially freeze the server. The vulnerability is fixed in version 3.13.3 by enforcing a global size limit on the entire multipart form data during POST requests. [1, 2]
How can this vulnerability impact me? :
If your application uses aiohttp versions 3.13.2 or below and includes handlers that use the Request.post() method, an attacker can exploit this vulnerability by sending large multipart form data payloads. This can cause your server's memory to be exhausted, leading to denial of service by freezing the server and making it unresponsive to legitimate users. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, monitor your aiohttp server for unusually high memory usage or freezing behavior during processing of HTTP POST requests, especially those involving multipart form data. You can use system monitoring commands such as 'top' or 'htop' on Linux to observe memory consumption. Additionally, capturing and analyzing HTTP POST requests with tools like 'tcpdump' or 'Wireshark' may help identify unusually large multipart form submissions. There are no specific commands provided in the resources for direct detection of this vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the aiohttp library to version 3.13.3 or later, where the vulnerability is fixed by enforcing a global size limit on multipart form data during HTTP POST requests. This prevents memory exhaustion by limiting the total size of incoming multipart payloads. Additionally, ensure that your server configuration sets an appropriate 'client_max_size' to restrict the maximum allowed size of client requests. [1, 2]