CVE-2025-69229
6.6
Death by a Thousand Chunks: The aiohttp O(N^2) DoS
Alon Barad
Software EngineerJan 6, 2026·6 min read·25 visits
PoC Available
Executive Summary (TL;DR)
aiohttp used a standard Python list to track HTTP chunk offsets, using `pop(0)` to retrieve them. Since `pop(0)` is an O(N) operation, processing a request with N chunks resulted in O(N^2) complexity. An attacker sending a stream of 1-byte chunks can monopolize the CPU, blocking the event loop and denying service to all other clients.
A high-impact Denial of Service vulnerability in the aiohttp Python library caused by algorithmic complexity in handling HTTP chunked transfer encoding. By flooding the server with thousands of tiny chunks, an attacker can trigger quadratic CPU consumption, effectively freezing the asynchronous event loop.
Fix Analysis (2)
Technical Appendix
CVSS Score
6.6/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:UAffected Systems
aiohttp <= 3.13.2
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
aiohttp aio-libs | <= 3.13.2 | 3.13.3 |
| Attribute | Detail |
|---|---|
| CWE | CWE-770 (Allocation of Resources Without Limits) |
| Attack Vector | Network |
| CVSS v4.0 | 6.6 (Medium) |
| Complexity | O(N^2) Quadratic |
| Impact | Denial of Service (Event Loop Block) |
| Status | Fixed in 3.13.3 |
MITRE ATT&CK Mapping
CWE-770
Allocation of Resources Without Limits or Throttling
The software allocates resources (memory, CPU) without limits or throttling based on the quantity of input metadata, allowing an attacker to cause resource exhaustion.
Known Exploits & Detection
Vulnerability Timeline
Fix development started
2025-10-28
Patches merged into master
2026-01-03
Advisory Published
2026-01-05