CVE-2025-69225
2.7
The Polyglot Parser: Smuggling Requests with Devanagari Digits
Alon Barad
Software EngineerJan 6, 2026·5 min read·4 visits
PoC Available
Executive Summary (TL;DR)
Python's `re` module is Unicode-aware by default, meaning `\d` matches more than just `0-9`. Aiohttp failed to restrict its `Range` header parser to ASCII, allowing attackers to use characters like Devanagari digits to sneak payloads past strict upstream proxies while the backend treats them as valid numbers. Fixed in version 3.13.3.
A regex flaw in aiohttp allows Unicode digits to bypass HTTP validation, enabling potential request smuggling and cache poisoning via parser differentials.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
2.7/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:UAffected Systems
Python applications using aiohttp <= 3.13.2Microservices using aiohttp for backend API handling
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
aiohttp aio-libs | <= 3.13.2 | 3.13.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-444 |
| Attack Vector | Network |
| CVSS v4.0 | 2.7 (Low) |
| Impact | Low (Integrity) |
| Exploit Status | PoC Available |
| Pattern | Regex Mismatch / Parser Differential |
MITRE ATT&CK Mapping
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The web application or API relies on an HTTP intermediary to perform security checks, but the intermediary interprets the request differently than the backend, allowing a bypass.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability discovered during Radically Open Security audit
2025-12-01
Patch released in version 3.13.3
2026-01-05
CVE-2025-69225 Published
2026-01-06