CVE-2025-69223 (GCVE-0-2025-69223)

Vulnerability from cvelistv5 – Published: 2026-01-05 22:00 – Updated: 2026-07-03 12:05
VLAI?
Title
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
Summary
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
CWE
  • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
Impacted products
Vendor Product Version
aio-libs aiohttp Affected: < 3.13.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-69223",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-06T14:26:17.561184Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-06T19:04:01.249Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
              "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
              "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
              "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8",
              "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
              "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
              "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
              "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9",
              "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
              "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9",
              "cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3.2::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AI Inference Server 3.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.4::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.5",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2.6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai:3.3::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI 3.3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhmt:1"
            ],
            "defaultStatus": "affected",
            "product": "Migration Toolkit for Containers",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_lightspeed"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Lightspeed",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AI Inference Server",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_core:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform Ansible Core 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.6::el10",
              "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:2"
            ],
            "defaultStatus": "unaffected",
            "product": "OpenShift Service Mesh 2",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-01-05T22:00:17.715Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A decompression based denial of service flaw has been discovered in the AIOHTTP python library. Library versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host\u0027s memory."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-03T12:05:00.052Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2025-69223"
          },
          {
            "name": "RHBZ#2427456",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427456"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-69223.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:1497"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:1506"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:3959"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:1249"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:3958"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:3461"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:3462"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:1599"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:1609"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:6308"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:1596"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:3960"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:6309"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:3782"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10184"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2106"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2695"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:3713"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19712"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:1497: Red Hat Ansible Automation Platform 2.4 for RHEL 8, Red Hat Ansible Automation Platform 2.4 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:1506: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:3959: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:1249: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:3461: Red Hat AI Inference Server 3.2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:3462: Red Hat AI Inference Server 3.2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:1599: Red Hat Ansible Automation Platform 2.4"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:1609: Red Hat Ansible Automation Platform 2.5"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:6308: Red Hat Ansible Automation Platform 2.5"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:1596: Red Hat Ansible Automation Platform 2.6"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:6309: Red Hat Ansible Automation Platform 2.6"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:3782: Red Hat OpenShift AI 2.25"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10184: Red Hat OpenShift AI 2.25"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2106: Red Hat OpenShift AI 2.25"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2695: Red Hat OpenShift AI 2.25"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:3713: Red Hat OpenShift AI 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19712: Red Hat OpenShift AI 3.3"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-01-06T20:01:19.831Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-01-05T22:00:17.715Z",
            "value": "Made public."
          }
        ],
        "title": "aiohttp: AIOHTTP\u0027s HTTP Parser auto_decompress feature is vulnerable to zip bomb",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "aiohttp",
          "vendor": "aio-libs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.13.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host\u0027s memory. This issue is fixed in version 3.13.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T22:00:17.715Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg"
        },
        {
          "name": "https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a"
        }
      ],
      "source": {
        "advisory": "GHSA-6mq8-rvhq-8wgg",
        "discovery": "UNKNOWN"
      },
      "title": "AIOHTTP\u0027s HTTP Parser auto_decompress feature is vulnerable to zip bomb"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-69223",
    "datePublished": "2026-01-05T22:00:17.715Z",
    "dateReserved": "2025-12-29T20:45:58.699Z",
    "dateUpdated": "2026-07-03T12:05:00.052Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"aiohttp: AIOHTTP\u0027s HTTP Parser auto_decompress feature is vulnerable to zip bomb\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.4::el8\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.4 for RHEL 8\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.5::el8\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.5 for RHEL 8\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.4::el9\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.4 for RHEL 9\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.5::el9\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.5 for RHEL 9\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.6::el9\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.6 for RHEL 9\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ai_inference_server:3.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat AI Inference Server 3.2\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.4::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.4\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.5::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.5\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.6\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai:2.25::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI 2.25\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai:3.3::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI 3.3\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhmt:1\"], \"vendor\": \"Red Hat\", \"product\": \"Migration Toolkit for Containers\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_lightspeed\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Lightspeed\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ai_inference_server:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat AI Inference Server\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_core:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform Ansible Core 2\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI) 3\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.6::el10\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.6 for RHEL 10\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:2\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Service Mesh 2\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-01-06T20:01:19.831Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-01-05T22:00:17.715Z\", \"value\": \"Made public.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"RHSA-2026:1497: Red Hat Ansible Automation Platform 2.4 for RHEL 8, Red Hat Ansible Automation Platform 2.4 for RHEL 9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:1506: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:3959: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:1249: Red Hat Ansible Automation Platform 2.6 for RHEL 9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:3461: Red Hat AI Inference Server 3.2\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:3462: Red Hat AI Inference Server 3.2\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:1599: Red Hat Ansible Automation Platform 2.4\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:1609: Red Hat Ansible Automation Platform 2.5\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:6308: Red Hat Ansible Automation Platform 2.5\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:1596: Red Hat Ansible Automation Platform 2.6\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:6309: Red Hat Ansible Automation Platform 2.6\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:3782: Red Hat OpenShift AI 2.25\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:10184: Red Hat OpenShift AI 2.25\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2106: Red Hat OpenShift AI 2.25\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2695: Red Hat OpenShift AI 2.25\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:3713: Red Hat OpenShift AI 3.3\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:19712: Red Hat OpenShift AI 3.3\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-01-05T22:00:17.715Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2025-69223\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2427456\", \"name\": \"RHBZ#2427456\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-69223.json\", \"tags\": [\"x_sadp-csaf-vex\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:1497\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:1506\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:3959\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:1249\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:3958\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:3461\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:3462\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:1599\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:1609\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:6308\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:1596\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:3960\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:6309\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:3782\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:10184\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2106\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2695\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:3713\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:19712\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\"}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A decompression based denial of service flaw has been discovered in the AIOHTTP python library. Library versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host\u0027s memory.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-07-03T12:05:00.052Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-69223\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-06T14:26:17.561184Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-06T14:26:19.595Z\"}}], \"cna\": {\"title\": \"AIOHTTP\u0027s HTTP Parser auto_decompress feature is vulnerable to zip bomb\", \"source\": {\"advisory\": \"GHSA-6mq8-rvhq-8wgg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"aio-libs\", \"product\": \"aiohttp\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.13.3\"}]}], \"references\": [{\"url\": \"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg\", \"name\": \"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a\", \"name\": \"https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host\u0027s memory. This issue is fixed in version 3.13.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-409\", \"description\": \"CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-05T22:00:17.715Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-69223\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-03T12:05:00.052Z\", \"dateReserved\": \"2025-12-29T20:45:58.699Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-05T22:00:17.715Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…