Debian LTS python-aiohttp Advisory DLA-4613-1 Request Smuggling DoS
debian lts
June 1, 2026
Several vulnerabilities have been found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python
Topics Covered
Summary
Several vulnerabilities have been found in aiohttp, an asynchronous
HTTP client/server framework for asyncio and Python.
CVE-2025-53643
Request smuggling vulnerability due to not parsing trailer sections
of an HTTP request.
CVE-2025-69224
Possible request smuggling attack in the HTTP parser with the
presence of non-ASCII characters.
CVE-2025-69225
Parser logic which allows non-ASCII decimals to be present in the
Range header.
CVE-2025-69226
Path traversal vulnerability that allows an attacker to ascertain
the existence of path components.
CVE-2025-69227
When processing a POST body, an infinite loop can occur when assert
statements are bypassed leading to a possible DoS attack.
CVE-2025-69228
Possible DoS attack that can freeze the server by exhausting the
memory using Request.post().
CVE-2025-69229
The handling of chunked messages that can result in an excessive
blocking of CPU usage when receiving a large number of chunks.
CVE-2026-22815
PREVIOUS 
NEXT Severity
important
Lowest
Low
Medium
High
Critical
Package: python-aiohttp
Version: 3.7.4-1+deb11u2
CVE ID: CVE-2025-53643 CVE-2025-69224 CVE-2025-69225 CVE-2025-69226
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!