CVE-2025-69230
2.70.04%
The Cookie Monster's Tantrum: Inside CVE-2025-69230
Amit Schendel
Senior Security ResearcherJan 6, 2026·7 min read·3 visits
PoC Available
Executive Summary (TL;DR)
Aiohttp versions prior to 3.13.3 scream too loud when they see bad cookies. By sending a header packed with thousands of invalid cookie names, an attacker can force the server to write thousands of warning logs per request. This 'Log Storm' eats CPU cycles, fills disk space, and creates a Denial of Service (DoS) condition on the logging infrastructure.
A resource exhaustion vulnerability in aiohttp allows attackers to trigger a 'logging storm' by sending thousands of malformed HTTP cookies, effectively flooding server logs and consuming excessive CPU/IO.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
2.7/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:UEPSS Probability
0.04%
Top 100% most exploited
Affected Systems
Python applications using aiohttp < 3.13.3Asyncio-based web servicesAPI gateways built on aiohttp
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
aiohttp aio-libs | < 3.13.3 | 3.13.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-779 |
| Attack Vector | Network |
| CVSS v4.0 | 2.7 (Low) |
| Impact | Resource Exhaustion (DoS) |
| Vulnerability Type | Improper Handling of Excessive Data |
| Component | aiohttp/_cookie_helpers.py |
MITRE ATT&CK Mapping
CWE-779
Logging of Excessive Data
The product logs an excessive amount of data, which can lead to resource exhaustion or make it difficult to identify important log events.
Known Exploits & Detection
Vulnerability Timeline
Issue Identified
2025-10-28
Patch Committed
2026-01-03
Public Disclosure
2026-01-05