AIOHTTP vulnerable to DoS through chunked messages

GHSA-g84x-mcqj-x9qq · CVE-2025-69229

Published Jan 5, 2026 · Modified Feb 4, 2026

Description

Summary

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

Impact

If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.

Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-69229
WEB https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
WEB https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
PACKAGE https://github.com/aio-libs/aiohttp

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes