CVE-2025-69224

Absolute Zero Security: Smuggling Requests into aiohttp with the Kelvin Sign

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 5, 2026·7 min read·13 visits

Executive Summary (TL;DR)

aiohttp's pure-Python parser incorrectly normalizes certain Unicode characters (like the Kelvin sign) into ASCII during HTTP header processing. This allows 'chunKed' to become 'chunked' on the backend, while proxies see it as garbage. The resulting desynchronization enables HTTP Request Smuggling.

A high-impact HTTP Request Smuggling vulnerability in aiohttp's pure-Python parser allows attackers to bypass security controls using Unicode case-folding anomalies (specifically the Kelvin sign 'K').

Official Patches

aio-libsPatch commit on GitHub
aio-libsRelease notes for 3.13.3

Fix Analysis (1)

Technical Appendix

CVSS Score
6.3/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Systems

aiohttp < 3.13.3 (Pure Python parser mode)Applications using AIOHTTP_NO_EXTENSIONS=1PyPy environments running aiohttp

Affected Versions Detail

Product
Affected Versions
Fixed Version
aiohttp
aio-libs
< 3.13.33.13.3
AttributeDetail
CWECWE-444 (HTTP Request Smuggling)
CVSS v4.06.3 (Medium)
Attack VectorNetwork (Protocol Manipulation)
ImpactSecurity Bypass / Cache Poisoning
Root CauseUnicode Normalization (Kelvin Sign)
Affected Componentaiohttp pure-Python parser

MITRE ATT&CK Mapping

T1202Indirect Command Execution
Defense Evasion
T1505Server Software Component
Persistence
CWE-444
HTTP Request Smuggling

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Known Exploits & Detection

ManualKelvin Sign (U+212A) transformation PoC

Vulnerability Timeline

Fix committed to aiohttp repository
2025-01-03
GHSA-69f9-5gxw-wvc2 Published
2025-01-05
aiohttp v3.13.3 Released
2025-01-05

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.