Launch Week Day 1: Announcing Security Design Review

AIOHTTP has unicode match groups in regexes for ASCII protocol elements

GHSA-mqqc-3gqh-h2x8 · CVE-2025-69225

Published Jan 5, 2026 · Modified Feb 4, 2026

Description

Summary

The parser allows non-ASCII decimals to be present in the Range header.

Impact

There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.

Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes