Packages
- python-aiohttp - Asynchronous HTTP client/server Python framework
Details
Charles Chan discovered that AIOHTTP incorrectly handled the decompression
of compressed requests. A remote attacker could possibly use this issue to
cause a denial of service. This issue was only addressed in Ubuntu 25.10.
(CVE-2025-69223)
Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII
characters in HTTP headers. A remote attacker could possibly use this issue
to perform a request smuggling attack to bypass certain proxy protections.
This issue was only addressed in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and
Ubuntu 25.10. (CVE-2025-69224)
Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII
characters in the Range header. A remote attacker could possibly use this
issue to perform a request smuggling attack. (CVE-2025-69225)
Thomas Rinsma discovered that AIOHTTP incorrectly...
Charles Chan discovered that AIOHTTP incorrectly handled the decompression
of compressed requests. A remote attacker could possibly use this issue to
cause a denial of service. This issue was only addressed in Ubuntu 25.10.
(CVE-2025-69223)
Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII
characters in HTTP headers. A remote attacker could possibly use this issue
to perform a request smuggling attack to bypass certain proxy protections.
This issue was only addressed in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and
Ubuntu 25.10. (CVE-2025-69224)
Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII
characters in the Range header. A remote attacker could possibly use this
issue to perform a request smuggling attack. (CVE-2025-69225)
Thomas Rinsma discovered that AIOHTTP incorrectly handled path
normalization when serving static files. A remote attacker could possibly
use this issue to obtain sensitive information. (CVE-2025-69226)
Thomas Rinsma discovered that AIOHTTP incorrectly handled certain POST
request bodies. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2025-69227)
Thomas Rinsma discovered that AIOHTTP incorrectly handled large POST
request payloads. A remote attacker could possibly use this issue to cause
a denial of service. (CVE-2025-69228)
It was discovered that AIOHTTP incorrectly handled chunked messages. A
remote attacker could possibly use this issue to cause a denial of service.
(CVE-2025-69229)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 25.10 questing | python3-aiohttp – 3.11.16-1ubuntu0.1 | ||
| 24.04 LTS noble | python3-aiohttp – 3.9.1-1ubuntu0.1+esm2 | ||
| 22.04 LTS jammy | python3-aiohttp – 3.8.1-4ubuntu0.2+esm2 | ||
| 20.04 LTS focal | python3-aiohttp – 3.6.2-1ubuntu1+esm5 | ||
| 18.04 LTS bionic | python3-aiohttp – 3.0.1-1ubuntu0.1~esm6 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.