AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0859-1 advisory.

    - CVE-2025-69228: Fixed denial of service through large payloads (bsc#1256022).
    - CVE-2025-69226: Fixed brute-force leak of internal static file path components (bsc#1256020).
    - CVE-2025-69224: Fixed unicode processing of header values could cause parsing discrepancies     (bsc#1256018).
    - CVE-2025-69223: Fixed aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb (bsc#1256017).
    - CVE-2025-69227: Fixed DoS when bypassing asserts (bsc#1256021).
    - CVE-2025-69225: Fixed unicode match groups in regexes for ASCII protocol elements (bsc#1256019).
    - CVE-2025-69229: Fixed DoS through chunked messages (bsc#1256023).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0858-1 advisory.

    - CVE-2025-69228: Fixed denial of service through large payloads (bsc#1256022).
    - CVE-2025-69226: Fixed brute-force leak of internal static file path components (bsc#1256020).
    - CVE-2025-69224: Fixed unicode processing of header values could cause parsing discrepancies     (bsc#1256018).
    - CVE-2025-69223: Fixed aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb (bsc#1256017).
    - CVE-2025-69227: Fixed DoS when bypassing asserts (bsc#1256021).
    - CVE-2025-69225: Fixed unicode match groups in regexes for ASCII protocol elements (bsc#1256019).
    - CVE-2025-69229: Fixed DoS through chunked messages (bsc#1256023).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:3959 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-controller: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file     unpacking (CVE-2026-24049)
    * automation-controller: pyasn1 has a DoS vulnerability in decoder (CVE-2026-23490)
    * automation-gateway: React Router vulnerable to XSS via Open Redirects (CVE-2026-22029)
    * python3.11-aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb     (CVE-2025-69223)
    * python3.11-django: Django: SQL injection via crafted column aliases in QuerySet.order_by()     (CVE-2026-1312)
    * python3.11-django: Django: SQL Injection via crafted column aliases (CVE-2026-1287)
    * python3.11-django: Django: Denial of Service via crafted HTML inputs (CVE-2026-1285)
    * python3.11-django: Django: SQL Injection via RasterField band index parameter (CVE-2026-1207)
    * python3.11-django: Django: Denial of Service via crafted request with duplicate headers (CVE-2025-14550)
    * python3.11-protobuf: Denial of Service in Python Protobuf (CVE-2026-0994)
    * receptor: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes included:

    * Python has been updated to 3.12 (AAP-56567)

    IMPORTANT: All users must download the latest version of the installer. Attempting to install or upgrade     with a previous version of the installer could result in failure.

    Automation Platform
    * The OpenAPI gateway spec is now accurate for the legacy_auth endpoint (AAP-63422)
    * Fixed a bug that was preventing users from viewing complete survey question choices that contained a     colon (AAP-66389)
    * Added source control branch option for inventory source form (AAP-63544)
    * automation-gateway has been updated to 2.5.20260225

    Automation controller
    * Added token auth to 2.5 (AAP-65488)
    * Fixed the job list endpoint to no longer load the job artifacts, resulting in better performance     (AAP-63221)
    * Enabled cross-organization credential sharing for teams. The changes were made in the legacy RBAC     functionality (AAP-54804)
    * automation-controller has been updated to 4.6.26

    Automation hub
    * Updated _ui/v2 endoints to properly enforce RBAC permissions (AAP-66638)
    * Added a static OpenAPI spec to galaxy that focuses the potential endpoints users can call (AAP-66417)
    * automation-hub has been updated to 4.10.12

    Event-Driven Ansible
    * Overrode RQ's default heartbeat to call register_birth, allowing worker re-registration in case of     worker disconnects from Redis, and also eliminating Ghost Workers. Also, bump rq version to 2.6.1, which     is a more recent and stable release (AAP-56872)
    * automation-eda-controller has been updated to 1.1.16

    Container-based Ansible Automation Platform
    * containerized installer setup has been updated to 2.5-22

    RPM-based Ansible Automation Platform
    * Fixed an issue where restore was not properly generating SSL certificate for redis in cluster mode     (AAP-60991)
    * ansible-automation-platform-installer and installer setup have been updated to 2.5-21

    Additional changes:
    * ansible-core has been updated to 2.16.16
    * All python3.11- prefixed rpms are replaced with python3.12- prefixed rpms

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 10 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:3958 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-controller: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file     unpacking (CVE-2026-24049)
    * automation-controller: pyasn1 has a DoS vulnerability in decoder (CVE-2026-23490)
    * automation-platform-ui: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)
    * automation-platform-ui: React Router has XSS Vulnerability (CVE-2025-59057)
    * automation-platform-ui: React Router SSR XSS in ScrollRestoration (CVE-2026-21884)
    * automation-platform-ui: React Router vulnerable to XSS via Open Redirects (CVE-2026-22029)
    * python3.11-aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb     (CVE-2025-69223)
    * python3.11-django: Django: SQL injection via crafted column aliases in QuerySet.order_by()     (CVE-2026-1312)
    * python3.11-django: Django: SQL Injection via crafted column aliases (CVE-2026-1287)
    * python3.11-django: Django: Denial of Service via crafted HTML inputs (CVE-2026-1285)
    * python3.11-django: Django: SQL Injection via RasterField band index parameter (CVE-2026-1207)
    * python3.11-django: Django: Denial of Service via crafted request with duplicate headers (CVE-2025-14550)
    * python3.11-protobuf: Denial of Service in Python Protobuf (CVE-2026-0994)
    * receptor: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes included:

    * Python has been updated to 3.12 (AAP-56567)

    IMPORTANT: All users must download the latest version of the installer. Attempting to install or upgrade     with a previous version of the installer could result in failure.

    Automation Platform
    * Fix a bug where an Organization Administrator could not delegate permissions to objects within their     organization (AAP-65081)
    * Fixed a restore issue where feature flags table wasn't created/updated as expected even on partial     migrations (AAP-65815)
    * automation-gateway has been updated to 2.6.20260225

    Automation Platform UI
    * If the Project's source control branch is overridden by a Template or template Schedule, it is now     displayed on the schedule detail and schedule edit form review step (AAP-60920)
    * Fix issue preventing reordering more than 50 authentication mappings (AAP-59119)
    * automation-platform-ui has been updated to 2.6.6

    Automation controller
    * Fixed an issue where the awx CLI modify command did not display available field flags for users who have     an admin role on a specific resource but do not have permission to create new resources of that type     (AAP-65813)
    * Fixed the job list endpoint to no longer load the job artifacts, resulting in better performance     (AAP-63489)
    * Fixed missing RoleUserAssignment openapi schema component (AAP-60826)
    * automation-controller has been updated to 4.7.9

    Automation hub
    * Updated _ui/v2 endoints to properly enforce RBAC permissions (AAP-66634)
    * Added a static OpenAPI spec to galaxy that focuses the potential endpoints users can call (AAP-66415)
    * Improved documentation for Hub OpenAPI spec (AAP-66412 and AAP-66410)
    * automation-hub has been updated to 4.11.6

    Event-Driven Ansible
    * Added eda plugin lifecycle handling (deprecation, redirection, tombstoning) (AAP-62721)
    * Overrode RQ's default heartbeat to call register_birth, allowing worker re-registration in case of     worker disconnects from Redis, and also eliminating Ghost Workers. Also, rq version was updated to 2.6.1,     which is a more recent and stable release (AAP-56872)
    * ansible-rulebook has been updated to 1.2.1
    * automation-eda-controller has been updated to 1.2.6

    Container-based Ansible Automation Platform
    * Fixed automation gateway preflight check which doesn't require ansible_host to be define anymore     (AAP-65370)
    * '/home/{{ ansible_user_id }}' path references in receptor configuration are replaced by the     ansible_user_dir ansible fact (AAP-64452)
    * Increased envoy request timeout from 1 second to 5 seconds (AAP-64323)
    * Added retry mechanism when trying to get the Automation controller status (AAP-64291)
    * Disabling TLS on envoy no longe causes controller connection error when running Merge organization task     (AAP-62904)
    * Fixed compatibility when jinja2 native is enabled on ansible core (AAP-62878)
    * Removed TLS verification when pushing container images to the Automation hub registry and TLS is     disabled (AAP-62864)
    * URL anchors in the inventory samples was updated to reflect official documentation (AAP-55780)
    * containerized installer setup has been updated to 2.6-6

    RPM-based Ansible Automation Platform
    * Increased envoy request timeout from 1 second to 5 seconds (AAP-64008)
    * ansible-automation-platform-installer and installer setup have been updated to 2.6-5

    Additional changes:
    * ansible-core has been updated to 2.16.16
    * All python3.11- prefixed rpms are replaced with python3.12- prefixed rpms

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8032-1 advisory.

    Charles Chan discovered that AIOHTTP incorrectly handled the decompression of compressed requests. A     remote attacker could possibly use this issue to cause a denial of service. This issue was only addressed     in Ubuntu 25.10. (CVE-2025-69223)

    Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII characters in HTTP headers. A remote     attacker could possibly use this issue to perform a request smuggling attack to bypass certain proxy     protections. This issue was only addressed in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
    (CVE-2025-69224)

    Thomas Rinsma discovered that AIOHTTP incorrectly handled non-ASCII characters in the Range header. A     remote attacker could possibly use this issue to perform a request smuggling attack. (CVE-2025-69225)

    Thomas Rinsma discovered that AIOHTTP incorrectly handled path normalization when serving static files. A     remote attacker could possibly use this issue to obtain sensitive information. (CVE-2025-69226)

    Thomas Rinsma discovered that AIOHTTP incorrectly handled certain POST request bodies. A remote attacker     could possibly use this issue to cause a denial of service. (CVE-2025-69227)

    Thomas Rinsma discovered that AIOHTTP incorrectly handled large POST request payloads. A remote attacker     could possibly use this issue to cause a denial of service. (CVE-2025-69228)

    It was discovered that AIOHTTP incorrectly handled chunked messages. A remote attacker could possibly use     this issue to cause a denial of service. (CVE-2025-69229)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20204-1 advisory.

    Changes in python-aiohttp:

    - CVE-2025-69228: Fixed denial of service through large payloads (bsc#1256022).
    - CVE-2025-69226: Fixed brute-force leak of internal static file path components (bsc#1256020).
    - CVE-2025-69224: Fixed unicode processing of header values could cause parsing discrepancies     (bsc#1256018).
    - CVE-2025-69223: Fixed aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb (bsc#1256017).
    - CVE-2025-69227: Fixed DoS when bypassing asserts (bsc#1256021).
    - CVE-2025-69225: Fixed unicode match groups in regexes for ASCII protocol elements (bsc#1256019).
    - CVE-2025-69229: Fixed DoS through chunked messages (bsc#1256023).
    - CVE-2025-53643: Fixed request smuggling due to incorrect parsing of chunked trailer section     (bsc#1246517).

    Changes in python-Brotli:

    - Add max length decompression (bsc#1254867, bsc#1256017).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below     allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a     compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed     in version 3.13.3. (CVE-2025-69223)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
302110	SUSE SLES15 Security Update : python-aiohttp (SUSE-SU-2026:0859-1)	Nessus	SuSE Local Security Checks	high
301812	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp (SUSE-SU-2026:0858-1)	Nessus	SuSE Local Security Checks	high
301388	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Important) (RHSA-2026:3959)	Nessus	Red Hat Local Security Checks	high
301326	RHEL 10 / 9 : Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update (Important) (RHSA-2026:3958)	Nessus	Red Hat Local Security Checks	high
299345	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : AIOHTTP vulnerabilities (USN-8032-1)	Nessus	Ubuntu Local Security Checks	high
299126	openSUSE 16 Security Update : python-aiohttp, python-Brotli (openSUSE-SU-2026:20204-1)	Nessus	SuSE Local Security Checks	high
281873	Linux Distros Unpatched Vulnerability : CVE-2025-69223	Nessus	Misc.	high

Detections

Analytics

CVE-2025-69223

high

Tenable Plugins

high

high

high

high

high

high

high