DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-69229: Death by a Thousand Chunks: The aiohttp O(N^2) DoS

#security #cve #cybersecurity

Death by a Thousand Chunks: The aiohttp O(N^2) DoS

Vulnerability ID: CVE-2025-69229
CVSS Score: 6.6
Published: 2026-01-05

A high-impact Denial of Service vulnerability in the aiohttp Python library caused by algorithmic complexity in handling HTTP chunked transfer encoding. By flooding the server with thousands of tiny chunks, an attacker can trigger quadratic CPU consumption, effectively freezing the asynchronous event loop.

TL;DR

aiohttp used a standard Python list to track HTTP chunk offsets, using pop(0) to retrieve them. Since pop(0) is an O(N) operation, processing a request with N chunks resulted in O(N^2) complexity. An attacker sending a stream of 1-byte chunks can monopolize the CPU, blocking the event loop and denying service to all other clients.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-770 (Allocation of Resources Without Limits)
  • Attack Vector: Network
  • CVSS v4.0: 6.6 (Medium)
  • Complexity: O(N^2) Quadratic
  • Impact: Denial of Service (Event Loop Block)
  • Status: Fixed in 3.13.3

Affected Systems

  • aiohttp <= 3.13.2
  • aiohttp: <= 3.13.2 (Fixed in: 3.13.3)

Code Analysis

Commit: dc3170b

Switch from list.pop(0) to deque.popleft() for chunk splits

- self._http_chunk_splits = []
+ self._http_chunk_splits = collections.deque()
Enter fullscreen mode Exit fullscreen mode

Commit: 4ed97a4

Add high/low watermarks for chunk count throttling

+ if len(self._http_chunk_splits) > self._high_water_chunks: self._protocol.pause_reading()
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: No public exploit code released yet, but trivial to reconstruct.

Mitigation Strategies

  • Upgrade aiohttp to version 3.13.3 or higher.
  • Use a reverse proxy (Nginx/HAProxy) with request buffering enabled to normalize chunked requests.
  • Implement timeouts on request processing to kill stuck workers.

Remediation Steps:

  1. Identify vulnerable services using pip show aiohttp.
  2. Patch via pip install --upgrade aiohttp.
  3. Verify the version is >= 3.13.3.
  4. Restart affected services.

References

Read the full report for CVE-2025-69229 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)