python311-aiohttp-3.13.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10025-1 Final 1 1 2026-01-09T00:00:00Z current 2026-01-09T00:00:00Z 2026-01-09T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python311-aiohttp-3.13.3-1.1 on GA media These are all security issues fixed in the python311-aiohttp-3.13.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10025 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-69223/ SUSE CVE CVE-2025-69223 page https://www.suse.com/security/cve/CVE-2025-69224/ SUSE CVE CVE-2025-69224 page https://www.suse.com/security/cve/CVE-2025-69225/ SUSE CVE CVE-2025-69225 page https://www.suse.com/security/cve/CVE-2025-69226/ SUSE CVE CVE-2025-69226 page https://www.suse.com/security/cve/CVE-2025-69227/ SUSE CVE CVE-2025-69227 page https://www.suse.com/security/cve/CVE-2025-69228/ SUSE CVE CVE-2025-69228 page https://www.suse.com/security/cve/CVE-2025-69229/ SUSE CVE CVE-2025-69229 page https://www.suse.com/security/cve/CVE-2025-69230/ SUSE CVE CVE-2025-69230 page openSUSE Tumbleweed python311-aiohttp-3.13.3-1.1 python312-aiohttp-3.13.3-1.1 python313-aiohttp-3.13.3-1.1 python311-aiohttp-3.13.3-1.1 as a component of openSUSE Tumbleweed python312-aiohttp-3.13.3-1.1 as a component of openSUSE Tumbleweed python313-aiohttp-3.13.3-1.1 as a component of openSUSE Tumbleweed AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3. CVE-2025-69223 openSUSE Tumbleweed:python311-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python312-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python313-aiohttp-3.13.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69223.html CVE-2025-69223 https://bugzilla.suse.com/1256017 SUSE Bug 1256017 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3. CVE-2025-69224 openSUSE Tumbleweed:python311-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python312-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python313-aiohttp-3.13.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69224.html CVE-2025-69224 https://bugzilla.suse.com/1256018 SUSE Bug 1256018 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3. CVE-2025-69225 openSUSE Tumbleweed:python311-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python312-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python313-aiohttp-3.13.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69225.html CVE-2025-69225 https://bugzilla.suse.com/1256019 SUSE Bug 1256019 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3. CVE-2025-69226 openSUSE Tumbleweed:python311-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python312-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python313-aiohttp-3.13.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69226.html CVE-2025-69226 https://bugzilla.suse.com/1256020 SUSE Bug 1256020 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3. CVE-2025-69227 openSUSE Tumbleweed:python311-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python312-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python313-aiohttp-3.13.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69227.html CVE-2025-69227 https://bugzilla.suse.com/1256021 SUSE Bug 1256021 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3. CVE-2025-69228 openSUSE Tumbleweed:python311-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python312-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python313-aiohttp-3.13.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69228.html CVE-2025-69228 https://bugzilla.suse.com/1256022 SUSE Bug 1256022 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3. CVE-2025-69229 openSUSE Tumbleweed:python311-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python312-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python313-aiohttp-3.13.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69229.html CVE-2025-69229 https://bugzilla.suse.com/1256023 SUSE Bug 1256023 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is fixed in 3.13.3. CVE-2025-69230 openSUSE Tumbleweed:python311-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python312-aiohttp-3.13.3-1.1 openSUSE Tumbleweed:python313-aiohttp-3.13.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-69230.html CVE-2025-69230 https://bugzilla.suse.com/1256024 SUSE Bug 1256024