CVE-2025-69230
Unknown Unknown - Not Provided
Logging Storm Vulnerability in AIOHTTP Cookie Handling

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is fixed in 3.13.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69230
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aio-libs aiohttp to 3.13.2 (inc)
aio-libs aiohttp 3.13.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-779 The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in aiohttp versions 3.13.2 and below occurs when reading multiple invalid cookies from a specially crafted Cookie header. Accessing the cookies attribute in an application can trigger a storm of warning-level log entries, known as a logging storm. This happens because each invalid cookie name generates a separate warning log, leading to excessive log noise. The issue was fixed in version 3.13.3 by consolidating all invalid cookie warnings into a single debug-level log entry, reducing log flooding. [1, 2]

Impact Analysis

An attacker can exploit this vulnerability by sending a specially crafted Cookie header with multiple invalid cookies, causing a flood of warning-level log entries (a logging storm). This excessive logging can overwhelm log management and monitoring systems, potentially hiding other important log messages or degrading system performance related to logging. [2]

Detection Guidance

This vulnerability can be detected by monitoring your application's logs for a storm of warning-level log entries related to illegal cookie names when processing Cookie headers. Specifically, look for repeated warning messages indicating invalid cookie names in aiohttp logs. Since the issue triggers excessive warning logs upon accessing the cookies attribute with specially crafted Cookie headers, you can use log analysis commands such as `grep` or `tail` to identify these warnings. For example, you might run `grep -i 'illegal cookie name' /path/to/your/logfile` or `tail -f /path/to/your/logfile | grep --line-buffered -i 'illegal cookie name'` to detect the logging storm. Additionally, monitoring network traffic for suspicious Cookie headers with multiple invalid cookies could help, but no specific network commands are provided in the resources. [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade the aiohttp package to version 3.13.3 or later, where the vulnerability has been fixed. The fix consolidates multiple warning logs into a single debug-level log entry, preventing the logging storm caused by multiple invalid cookies. Until the upgrade is applied, consider monitoring and filtering logs to manage the warning storm and avoid log flooding. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69230. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart