DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-69224: Absolute Zero Security: Smuggling Requests into aiohttp with the Kelvin Sign

#security #cve #cybersecurity

Absolute Zero Security: Smuggling Requests into aiohttp with the Kelvin Sign

Vulnerability ID: CVE-2025-69224
CVSS Score: 6.3
Published: 2026-01-05

A high-impact HTTP Request Smuggling vulnerability in aiohttp's pure-Python parser allows attackers to bypass security controls using Unicode case-folding anomalies (specifically the Kelvin sign 'K').

TL;DR

aiohttp's pure-Python parser incorrectly normalizes certain Unicode characters (like the Kelvin sign) into ASCII during HTTP header processing. This allows 'chunKed' to become 'chunked' on the backend, while proxies see it as garbage. The resulting desynchronization enables HTTP Request Smuggling.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-444 (HTTP Request Smuggling)
  • CVSS v4.0: 6.3 (Medium)
  • Attack Vector: Network (Protocol Manipulation)
  • Impact: Security Bypass / Cache Poisoning
  • Root Cause: Unicode Normalization (Kelvin Sign)
  • Affected Component: aiohttp pure-Python parser

Affected Systems

  • aiohttp < 3.13.3 (Pure Python parser mode)
  • Applications using AIOHTTP_NO_EXTENSIONS=1
  • PyPy environments running aiohttp
  • aiohttp: < 3.13.3 (Fixed in: 3.13.3)

Code Analysis

Commit: 32677f2

Fix for CVE-2025-69224: incorrect interpretation of Transfer-Encoding

@@ -123,7 +123,7 @@ def _is_chunked_te(self, te: str) -> bool:
     te = te.rsplit(",", maxsplit=1)[-1].strip(" \t")
-    if te.lower() == "chunked":
+    if te.isascii() and te.lower() == "chunked":
         return True
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Kelvin Sign (U+212A) transformation PoC

Mitigation Strategies

  • Upgrade aiohttp to version 3.13.3 or higher immediately.
  • Ensure C extensions are compiled and loaded; avoid AIOHTTP_NO_EXTENSIONS=1.
  • Configure front-end proxies to normalize or drop non-ASCII headers.

Remediation Steps:

  1. Check current version: pip show aiohttp.
  2. Update package: pip install aiohttp>=3.13.3.
  3. Verify C extensions: Run python -c 'import aiohttp; print(aiohttp.NO_EXTENSIONS)'. Output should be False.

References

Read the full report for CVE-2025-69224 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)