Fluid Attacks Database

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	aiohttp	>=0 <3.13.3	3.13.3
debian 11	python-aiohttp	=3.7.4-1 \|\| =3.7.4-1+deb11u1 \|\| >=0 <3.7.4-1+deb11u2	3.7.4-1+deb11u2
debian 12	python-aiohttp	=3.10.0-1 \|\| =3.10.1-1 \|\| =3.10.10-1 \|\| =3.10.10-2 \|\| =3.10.11-1 \|\| =3.10.3-1 \|\| =3.10.3-2 \|\| =3.10.3-3 \|\| =3.10.4-1 \|\| =3.10.5-1 \|\| =3.10.6-1 \|\| =3.10.8-1 \|\| =3.11.15-1 \|\| =3.11.16-1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| =3.13.5-1 \|\| =3.8.4-1 \|\| =3.8.4-1+deb12u1 \|\| =3.8.5-1 \|\| =3.8.6-1 \|\| =3.9.1-1 \|\| =3.9.5-1	-
debian 13	python-aiohttp	=3.11.16-1 \|\| >=0 <3.11.16-1+deb13u1	3.11.16-1+deb13u1
debian 14	python-aiohttp	=3.11.16-1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| >=0 <3.13.3-1	3.13.3-1

Aliases

1. CVE-2025-692252. NVD-2025-692253. OSV-2025-692254. OSV-DEBIAN-2025-692255. GHSA-mqqc-3gqh-h2x86. GCVE-2025-692257. SECURITY-TRACKER-CVE-2025-69225

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x82. https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.