CVE-2025-69224
6.3
Absolute Zero Security: Smuggling Requests into aiohttp with the Kelvin Sign
Amit Schendel
Senior Security ResearcherJan 5, 2026·7 min read·19 visits
PoC Available
Executive Summary (TL;DR)
aiohttp's pure-Python parser incorrectly normalizes certain Unicode characters (like the Kelvin sign) into ASCII during HTTP header processing. This allows 'chunKed' to become 'chunked' on the backend, while proxies see it as garbage. The resulting desynchronization enables HTTP Request Smuggling.
A high-impact HTTP Request Smuggling vulnerability in aiohttp's pure-Python parser allows attackers to bypass security controls using Unicode case-folding anomalies (specifically the Kelvin sign 'K').
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
6.3/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NAffected Systems
aiohttp < 3.13.3 (Pure Python parser mode)Applications using AIOHTTP_NO_EXTENSIONS=1PyPy environments running aiohttp
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
aiohttp aio-libs | < 3.13.3 | 3.13.3 |
| Attribute | Detail |
|---|---|
| CWE | CWE-444 (HTTP Request Smuggling) |
| CVSS v4.0 | 6.3 (Medium) |
| Attack Vector | Network (Protocol Manipulation) |
| Impact | Security Bypass / Cache Poisoning |
| Root Cause | Unicode Normalization (Kelvin Sign) |
| Affected Component | aiohttp pure-Python parser |
MITRE ATT&CK Mapping
CWE-444
HTTP Request Smuggling
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Known Exploits & Detection
Vulnerability Timeline
Fix committed to aiohttp repository
2025-01-03
GHSA-69f9-5gxw-wvc2 Published
2025-01-05
aiohttp v3.13.3 Released
2025-01-05