AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the hosts memory. This issue is fixed in version 3.13.3.
Weakness
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Aiohttp | Aiohttp | * | 3.13.3 (excluding) |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | RedHat | automation-controller-0:4.5.30-1.el8ap | * |
| Red Hat Ansible Automation Platform 2.4 for RHEL 9 | RedHat | automation-controller-0:4.5.30-1.el9ap | * |
| Red Hat Ansible Automation Platform 2.5 for RHEL 8 | RedHat | automation-controller-0:4.6.25-1.el8ap | * |
| Red Hat Ansible Automation Platform 2.5 for RHEL 9 | RedHat | automation-controller-0:4.6.25-1.el9ap | * |
| Red Hat Ansible Automation Platform 2.6 for RHEL 9 | RedHat | automation-controller-0:4.7.8-1.el9ap | * |
| Red Hat Ansible Automation Platform 2.4 | RedHat | ansible-automation-platform-24/controller-rhel8:sha256:6407934968d4a6b83164a2d11870e46ab781c14445ab809b55acb9ce32b3a450 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/controller-rhel9:sha256:bb334abcc74bbebff0442393d370d7a4990097b275cf46761933a7fd61d94c87 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/de-minimal-rhel9:sha256:7f64dd39779023cd008c3237b60b419821985d658d24429b92070db9224b2629 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/de-supported-rhel9:sha256:1dd6b6b9d9426175830de6066033115287ec259d118d5214582730209f3b3e63 | * |
| Python-aiohttp | Ubuntu | plucky | * |