CVE-2025-69228
6.6
Infinite Loop of Doom: Memory Exhaustion in AIOHTTP
Alon Barad
Software EngineerJan 6, 2026·5 min read·11 visits
PoC Available
Executive Summary (TL;DR)
The `aiohttp` library forgot to persist the total request size counter across multipart fields. By sending a request with thousands of small parts, an attacker can bypass the global `client_max_size` limit, forcing the server to buffer gigabytes of data until it crashes.
A critical logic error in aiohttp's multipart parsing allows attackers to bypass body size limits by resetting the byte counter for every form field, leading to trivial DoS.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
6.6/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UAffected Systems
Python web applications using aiohttpMicroservices relying on aiohttp.web.Request.post()
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
aiohttp aio-libs | <= 3.13.2 | 3.13.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-770 |
| Attack Vector | Network (HTTP) |
| CVSS v4.0 | 6.6 (Medium) |
| Impact | Denial of Service (Memory Exhaustion) |
| Exploit Status | Trivial / PoC Available |
| Fix Version | 3.13.3 |
MITRE ATT&CK Mapping
CWE-770
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling
Known Exploits & Detection
Vulnerability Timeline
Published
2026-01-06
Patch Released (v3.13.3)
2026-01-06