DoS via Zip Bomb in AIOHTTP 3.13.2 (fixed 3.13.3)
CVE-2025-69223 Published on January 5, 2026
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
Vulnerability Analysis
CVE-2025-69223 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
What is a Data Amplification Vulnerability?
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
CVE-2025-69223 has been classified to as a Data Amplification vulnerability or weakness.
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2025-69223
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-69223 are published in these products:
Affected Versions
aio-libs aiohttp:- Version < 3.13.3 is affected.
- Version 0:4.5.30-1.el8ap and below * is unaffected.
- Version 0:4.5.30-1.el9ap and below * is unaffected.
- Version 0:4.6.25-1.el8ap and below * is unaffected.
- Version 0:3.13.3-2.el8ap and below * is unaffected.
- Version 0:4.6.25-1.el9ap and below * is unaffected.
- Version 0:3.13.3-2.el9ap and below * is unaffected.
- Version 0:4.7.8-1.el9ap and below * is unaffected.
- Version 0:3.13.3-2.el9ap and below * is unaffected.
- Version 1772160593 and below * is unaffected.
- Version 1772160625 and below * is unaffected.
- Version 1768524420 and below * is unaffected.
- Version 1768871210 and below * is unaffected.
- Version 1774414699 and below * is unaffected.
- Version 1774446874 and below * is unaffected.
- Version 1768890500 and below * is unaffected.
- Version 1768846975 and below * is unaffected.
- Version 1768853828 and below * is unaffected.
- Version 1772499904 and below * is unaffected.
- Version 1772508458 and below * is unaffected.
- Version 1772473168 and below * is unaffected.
- Version 1774417022 and below * is unaffected.
- Version 1776338381 and below * is unaffected.
- Version 1776259063 and below * is unaffected.
- Version 1770055932 and below * is unaffected.
- Version 1770103375 and below * is unaffected.
- Version 1770786633 and below * is unaffected.
- Version 1770054044 and below * is unaffected.
- Version 1770621450 and below * is unaffected.
- Version 1770055428 and below * is unaffected.
- Version 1770103255 and below * is unaffected.
- Version 1770053703 and below * is unaffected.
- Version 1770053831 and below * is unaffected.
- Version 1770053721 and below * is unaffected.
- Version 1770053740 and below * is unaffected.
- Version 1770053864 and below * is unaffected.
- Version 1770245096 and below * is unaffected.
- Version 1770059269 and below * is unaffected.
- Version 1770053785 and below * is unaffected.
- Version 1770055405 and below * is unaffected.
- Version 1770055397 and below * is unaffected.
- Version 1770053733 and below * is unaffected.
- Version 1770053728 and below * is unaffected.
- Version 1770053730 and below * is unaffected.
- Version 1770053829 and below * is unaffected.
- Version 1770053864 and below * is unaffected.
- Version 1770053748 and below * is unaffected.
- Version 1770053723 and below * is unaffected.
- Version 1770055425 and below * is unaffected.
- Version 1772093250 and below * is unaffected.
- Version 1778264363 and below * is unaffected.
- Version 1771840993 and below * is unaffected.
- Version 1771608633 and below * is unaffected.
- Version 1771502869 and below * is unaffected.
- Version 1771502930 and below * is unaffected.
- Version 1771502912 and below * is unaffected.
- Version 1771502889 and below * is unaffected.
- Version 1771502843 and below * is unaffected.
- Version 1771502897 and below * is unaffected.
- Version 1771502844 and below * is unaffected.
- Version 1771498500 and below * is unaffected.
- Version 1771498500 and below * is unaffected.
- Version 1771498575 and below * is unaffected.
- Version 1771498574 and below * is unaffected.
- Version 1771498638 and below * is unaffected.
- Version 1771498636 and below * is unaffected.
- Version 1770956034 and below * is unaffected.
- Version 1771502870 and below * is unaffected.
- Version 1771511331 and below * is unaffected.
- Version 1771502906 and below * is unaffected.
- Version 1771502921 and below * is unaffected.
- Version 1771502845 and below * is unaffected.
- Version 1771502863 and below * is unaffected.
- Version 1771502906 and below * is unaffected.
- Version 1771502910 and below * is unaffected.
- Version 1771502884 and below * is unaffected.
- Version 1771874181 and below * is unaffected.
- Version 1782789749 and below * is unaffected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-69223
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| pip | aiohttp | <= 3.13.2 | 3.13.3 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.