AIOHTTP vulnerable to DoS when bypassing asserts

GHSA-jj3x-wxrx-4x23 · CVE-2025-69227

Published Jan 5, 2026 · Modified Feb 4, 2026

Description

Summary

When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

Impact

If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message.

Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-69227
WEB https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259
PACKAGE https://github.com/aio-libs/aiohttp

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes