AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.
Weakness
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Aiohttp | Aiohttp | * | 3.13.3 (excluding) |
| Python-aiohttp | Ubuntu | esm-apps/bionic | * |
| Python-aiohttp | Ubuntu | esm-apps/focal | * |
| Python-aiohttp | Ubuntu | esm-apps/jammy | * |
| Python-aiohttp | Ubuntu | esm-apps/noble | * |
| Python-aiohttp | Ubuntu | esm-apps/xenial | * |
| Python-aiohttp | Ubuntu | jammy | * |
| Python-aiohttp | Ubuntu | noble | * |
| Python-aiohttp | Ubuntu | plucky | * |
| Python-aiohttp | Ubuntu | questing | * |
| Python-aiohttp | Ubuntu | upstream | * |