CVE-2025-69229

Name	CVE-2025-69229
Description	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-aiohttp (PTS)	bullseye	3.7.4-1	vulnerable
	bullseye (security)	3.7.4-1+deb11u1	vulnerable
	bookworm, bookworm (security)	3.8.4-1+deb12u1	vulnerable
	trixie	3.11.16-1	vulnerable
	forky	3.13.1-1	vulnerable
	sid	3.13.3-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python-aiohttp	source	(unstable)	3.13.3-1

Notes

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
Fixed by: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 (v3.13.3)
Fixed by: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229 (v3.13.3)