Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN005 _____________________________________________________________________ DATE : 07/01/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running AIOHTTP versions prior to 3.13.3. ===================================================================== https://github.com/advisories/GHSA-6mq8-rvhq-8wgg https://github.com/advisories/GHSA-jj3x-wxrx-4x23 https://github.com/advisories/GHSA-6jhg-hg63-jvvf https://github.com/advisories/GHSA-g84x-mcqj-x9qq https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2 _____________________________________________________________________ AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb High severity GitHub Reviewed Published Jan 5, 2026 in aio-libs/aiohttp Vulnerability details Package aiohttp (pip) Affected versions <= 3.13.2 Patched versions 3.13.3 Description Summary A zip bomb can be used to execute a DoS against the aiohttp server. Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. Patch: aio-libs/aiohttp@2b920c3 References GHSA-6mq8-rvhq-8wgg aio-libs/aiohttp@2b920c3 @Dreamsorcerer Dreamsorcerer published to aio-libs/aiohttp Jan 5, 2026 Published to the GitHub Advisory Database Jan 5, 2026 Reviewed Jan 5, 2026 Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS score Weaknesses Weakness CWE-409 Weakness CWE-770 CVE ID CVE-2025-69223 GHSA ID GHSA-6mq8-rvhq-8wgg Source code aio-libs/aiohttp Credits @charleswhchan charleswhchan Reporter _____________________________________________________________________ AIOHTTP vulnerable to DoS when bypassing asserts Moderate severity GitHub Reviewed Published Jan 5, 2026 in aio-libs/aiohttp • Updated Jan 6, 2026 Vulnerability details Package aiohttp (pip) Affected versions <= 3.13.2 Patched versions 3.13.3 Description Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. Impact If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. Patch: aio-libs/aiohttp@bc1319e References GHSA-jj3x-wxrx-4x23 aio-libs/aiohttp@bc1319e @Dreamsorcerer Dreamsorcerer published to aio-libs/aiohttp Jan 5, 2026 Published to the GitHub Advisory Database Jan 5, 2026 Reviewed Jan 5, 2026 Last updated Jan 6, 2026 Severity Moderate 6.6/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability High Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U EPSS score Weaknesses Weakness CWE-835 CVE ID CVE-2025-69227 GHSA ID GHSA-jj3x-wxrx-4x23 Source code aio-libs/aiohttp Credits @ThomasRinsma ThomasRinsma Reporter _____________________________________________________________________ AIOHTTP vulnerable to denial of service through large payloads Moderate severity GitHub Reviewed Published Jan 5, 2026 in aio-libs/aiohttp • Updated Jan 6, 2026 Vulnerability details Package aiohttp (pip) Affected versions <= 3.13.2 Patched versions 3.13.3 Description Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. Impact If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. Patch: aio-libs/aiohttp@b7dbd35 References GHSA-6jhg-hg63-jvvf aio-libs/aiohttp@b7dbd35 @Dreamsorcerer Dreamsorcerer published to aio-libs/aiohttp Jan 5, 2026 Published to the GitHub Advisory Database Jan 5, 2026 Reviewed Jan 5, 2026 Last updated Jan 6, 2026 Severity Moderate 6.6/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability High Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U EPSS score Weaknesses Weakness CWE-770 CVE ID CVE-2025-69228 GHSA ID GHSA-6jhg-hg63-jvvf Source code aio-libs/aiohttp Credits @ThomasRinsma ThomasRinsma Reporter _____________________________________________________________________ AIOHTTP vulnerable to DoS through chunked messages Moderate severity GitHub Reviewed Published Jan 5, 2026 in aio-libs/aiohttp • Updated Jan 5, 2026 Vulnerability details Package aiohttp (pip) Affected versions <= 3.13.2 Patched versions 3.13.3 Description Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. Impact If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. Patch: aio-libs/aiohttp@dc3170b Patch: aio-libs/aiohttp@4ed97a4 References GHSA-g84x-mcqj-x9qq aio-libs/aiohttp@4ed97a4 aio-libs/aiohttp@dc3170b @Dreamsorcerer Dreamsorcerer published to aio-libs/aiohttp Jan 5, 2026 Published to the GitHub Advisory Database Jan 5, 2026 Reviewed Jan 5, 2026 Last updated Jan 5, 2026 Severity Moderate 6.6/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability High Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U EPSS score Weaknesses Weakness CWE-770 CVE ID CVE-2025-69229 GHSA ID GHSA-g84x-mcqj-x9qq Source code aio-libs/aiohttp Credits @Finder16 Finder16 Reporter _____________________________________________________________________ Brute-force leak of internal static file path components Low Dreamsorcerer published GHSA-54jq-c3m8-4m76 Jan 5, 2026 Package aiohttp (pip) Affected versions <=3.13.2 Patched versions 3.13.3 Description Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. Impact If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. Patch: f2a86fd Severity Low CVE ID CVE-2025-69226 Weaknesses No CWEs Credits @ThomasRinsma ThomasRinsma Reporter _____________________________________________________________________ Unicode match groups in regexes for ASCII protocol elements Low Dreamsorcerer published GHSA-mqqc-3gqh-h2x8 Jan 5, 2026 Package aiohttp (pip) Affected versions <=3.13.2 Patched versions 3.13.3 Description Summary The parser allows non-ASCII decimals to be present in the Range header. Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. Patch: c7b7a04 Severity Low CVE ID CVE-2025-69225 Weaknesses No CWEs Credits @ThomasRinsma ThomasRinsma Reporter _____________________________________________________________________ Cookie Parser Warning Storm Low Dreamsorcerer published GHSA-fh55-r93g-j68g Jan 5, 2026 Package aiohttp (pip) Affected versions <=3.13.2 Patched versions 3.13.3 Description Summary Reading multiple invalid cookies can lead to a logging storm. Impact If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. Patch: 64629a0 Severity Low CVE ID CVE-2025-69230 Weaknesses No CWEs Credits @Finder16 Finder16 Reporter _____________________________________________________________________ Unicode processing of header values could cause parsing discrepancies Low Dreamsorcerer published GHSA-69f9-5gxw-wvc2 Jan 5, 2026 Package aiohttp (pip) Affected versions <=3.13.2 Patched versions 3.13.3 Description Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Patch: 32677f2 Severity Low CVE ID CVE-2025-69224 Weaknesses No CWEs Credits @ThomasRinsma ThomasRinsma Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================