CVE-2025-69224NVD

Vulnerability Summary

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.

Severity Level

MEDIUM(6.3)

Published Date

Jan 5, 2026

Last Modified

Jan 14, 2026

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-444: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v4.0 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

External References

https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2

Critical Alert 2 Active Exploits Detected Today

Critical Alert

CVE Watchtower

CVE-2025-69224NVD

Vulnerability Summary

External References