CVE-2025-69224

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-69224
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-69224.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-69224
Aliases
Downstream
Related
Published
2026-01-05T22:35:42.084Z
Modified
2026-06-18T03:55:54.682064250Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
AIOHTTP's Unicode processing of header values could cause parsing discrepancies
Details

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTPNOEXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.

Database specific 
{
    "cwe_ids": [
        "CWE-444"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69224.json"
}
References

Affected packages

Git / github.com/aio-libs/aiohttp

Affected ranges

Type
GIT
Repo
https://github.com/aio-libs/aiohttp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
41f01ed680b7efc8f97677df45731b80328aad6c
Fixed
32677f2adfd907420c078dda6b79225c6f4ebce0
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.13.3"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*"
}

Affected versions

0.*
0.15.2
0.8.2
1.*
1.3.0
2.*
2.0.0
2.0.0rc1
4v0.*
4v0.21.6
v.*
v.0.6.5
v0.*
v0.1
v0.10.0
v0.10.1
v0.11.0
v0.12.0
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.14.4
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.17.0
v0.18.0
v0.19.0
v0.2
v0.20.0
v0.20.1
v0.21.0
v0.22.0
v0.22.0b0
v0.22.0b1
v0.22.0b2
v0.22.0b3
v0.22.0b4
v0.22.0b5
v0.22.0b6
v0.22.1
v0.3
v0.4
v0.4.1
v0.4.2
v0.5.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.1
v0.8.3
v0.8.4
v0.9.0
v0.9.1
v0.9.2
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.2.0
v2.*
v2.1.0
v2.2.0
v2.3.0
v2.3.0a1
v2.3.0a2
v2.3.0a3
v2.3.0a4
v3.*
v3.0.0b0
v3.0.0b1
v3.0.0b2
v3.0.0b3
v3.0.0b4
v3.1.0
v3.10.0
v3.10.0b0
v3.10.0b1
v3.10.0rc0
v3.11.0
v3.11.0b0
v3.11.0b1
v3.11.0b2
v3.11.0b3
v3.11.0b4
v3.11.0b5
v3.11.0rc0
v3.11.0rc1
v3.11.0rc2
v3.12.0
v3.12.0b0
v3.12.0b1
v3.12.0b2
v3.12.0b3
v3.12.0rc0
v3.12.0rc1
v3.13.0
v3.13.1
v3.13.2
v3.2.0
v3.4.0
v3.4.0a0
v3.4.0a3
v3.4.0b1
v3.4.0b2
v3.5.0
v3.5.0a1
v3.5.0b1
v3.5.0b2
v3.5.0b3
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.6.0
v3.6.0a0
v3.6.0a1
v3.6.0a10
v3.6.0a11
v3.6.0a12
v3.6.0a2
v3.6.0a3
v3.6.0a4
v3.6.0a5
v3.6.0a6
v3.6.0a7
v3.6.0a8
v3.6.0a9
v3.6.0b0
v3.6.1
v3.6.1b3
v3.6.1b4
v3.6.2
v3.6.2a1
v3.6.2a2
v3.7.0
v3.7.0b0
v3.7.0b1
v3.7.1
v3.8.0
v3.9.0
v3.9.0b0
v3.9.0b1
v3.9.0rc0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-69224.json"