PyPI: aiohttp
CVE-2025-69228
Safety vulnerability ID: SFTY-20260105-77370
Safety legacy ID: pyup.io-83967
Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size.
Overview
AIOHTTP vulnerable to denial of service through large payloads
Advisory
Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260105-77370/CVE-2025-69228
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69228
- https://github.com/advisories/GHSA-6jhg-hg63-jvvf
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf
- https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60
- https://nvd.nist.gov/vuln/detail/CVE-2025-69228
- https://github.com/advisories/GHSA-6jhg-hg63-jvvf
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more