CVE-2025-69228
Unknown Unknown - Not Provided
Memory Exhaustion Vulnerability in AIOHTTP Request.post() Handler

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69228
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aio-libs aiohttp to 3.13.2 (inc)
aio-libs aiohttp 3.13.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in aiohttp versions 3.13.2 and below allows an attacker to craft a specially designed HTTP POST request with multipart form data that causes the server's memory to fill up uncontrollably during processing. The issue occurs because the size limit on multipart form data was not properly enforced across the entire request, allowing excessively large payloads to be processed. This can lead to memory exhaustion and potentially freeze the server. The vulnerability is fixed in version 3.13.3 by enforcing a global size limit on the entire multipart form data during POST requests. [1, 2]

Impact Analysis

If your application uses aiohttp versions 3.13.2 or below and includes handlers that use the Request.post() method, an attacker can exploit this vulnerability by sending large multipart form data payloads. This can cause your server's memory to be exhausted, leading to denial of service by freezing the server and making it unresponsive to legitimate users. [2]

Detection Guidance

To detect this vulnerability, monitor your aiohttp server for unusually high memory usage or freezing behavior during processing of HTTP POST requests, especially those involving multipart form data. You can use system monitoring commands such as 'top' or 'htop' on Linux to observe memory consumption. Additionally, capturing and analyzing HTTP POST requests with tools like 'tcpdump' or 'Wireshark' may help identify unusually large multipart form submissions. There are no specific commands provided in the resources for direct detection of this vulnerability. [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade the aiohttp library to version 3.13.3 or later, where the vulnerability is fixed by enforcing a global size limit on multipart form data during HTTP POST requests. This prevents memory exhaustion by limiting the total size of incoming multipart payloads. Additionally, ensure that your server configuration sets an appropriate 'client_max_size' to restrict the maximum allowed size of client requests. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart