CVE-2025-69230
Logging Storm Vulnerability in AIOHTTP Cookie Handling
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aio-libs | aiohttp | to 3.13.2 (inc) |
| aio-libs | aiohttp | 3.13.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-779 | The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in aiohttp versions 3.13.2 and below occurs when reading multiple invalid cookies from a specially crafted Cookie header. Accessing the cookies attribute in an application can trigger a storm of warning-level log entries, known as a logging storm. This happens because each invalid cookie name generates a separate warning log, leading to excessive log noise. The issue was fixed in version 3.13.3 by consolidating all invalid cookie warnings into a single debug-level log entry, reducing log flooding. [1, 2]
How can this vulnerability impact me? :
An attacker can exploit this vulnerability by sending a specially crafted Cookie header with multiple invalid cookies, causing a flood of warning-level log entries (a logging storm). This excessive logging can overwhelm log management and monitoring systems, potentially hiding other important log messages or degrading system performance related to logging. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring your application's logs for a storm of warning-level log entries related to illegal cookie names when processing Cookie headers. Specifically, look for repeated warning messages indicating invalid cookie names in aiohttp logs. Since the issue triggers excessive warning logs upon accessing the cookies attribute with specially crafted Cookie headers, you can use log analysis commands such as `grep` or `tail` to identify these warnings. For example, you might run `grep -i 'illegal cookie name' /path/to/your/logfile` or `tail -f /path/to/your/logfile | grep --line-buffered -i 'illegal cookie name'` to detect the logging storm. Additionally, monitoring network traffic for suspicious Cookie headers with multiple invalid cookies could help, but no specific network commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the aiohttp package to version 3.13.3 or later, where the vulnerability has been fixed. The fix consolidates multiple warning logs into a single debug-level log entry, preventing the logging storm caused by multiple invalid cookies. Until the upgrade is applied, consider monitoring and filtering logs to manage the warning storm and avoid log flooding. [2, 1]