Charles Chan discovered that AIOHTTP incorrectly handled the decompression of compressed requests. A remote attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 25.10. (CVE-2025-69223) Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII characters in HTTP headers. A remote attacker could possibly use this issue to perform a request smuggling attack to bypass certain proxy protections. This issue was only addressed in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-69224) Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII characters in the Range header. A remote attacker could possibly use this issue to perform a request smuggling attack. (CVE-2025-69225) Thomas Rinsma discovered that AIOHTTP incorrectly handled path normalization when serving static files. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2025-69226) Thomas Rinsma discovered that AIOHTTP incorrectly handled certain POST request bodies. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2025-69227) Thomas Rinsma discovered that AIOHTTP incorrectly handled large POST request payloads. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2025-69228) It was discovered that AIOHTTP incorrectly handled chunked messages. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2025-69229)
Continue reading...
Continue reading...
