Detections
Analytics
Debian dla-4613 : python-aiohttp-doc - security update
high Nessus Plugin ID 318080
Synopsis
The remote Debian host is missing one or more security-related updates.Description
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4613 advisory.------------------------------------------------------------------------- Debian LTS Advisory DLA-4613-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert June 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-aiohttp Version : 3.7.4-1+deb11u2 CVE ID : CVE-2025-53643 CVE-2025-69224 CVE-2025-69225 CVE-2025-69226 CVE-2025-69227 CVE-2025-69228 CVE-2025-69229 CVE-2026-22815 CVE-2026-34513 CVE-2026-34514 CVE-2026-34516 CVE-2026-34517 CVE-2026-34518 CVE-2026-34519 CVE-2026-34520 CVE-2026-34525
Several vulnerabilities have been found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python.
CVE-2025-53643
Request smuggling vulnerability due to not parsing trailer sections of an HTTP request.
CVE-2025-69224
Possible request smuggling attack in the HTTP parser with the presence of non-ASCII characters.
CVE-2025-69225
Parser logic which allows non-ASCII decimals to be present in the Range header.
CVE-2025-69226
Path traversal vulnerability that allows an attacker to ascertain the existence of path components.
CVE-2025-69227
When processing a POST body, an infinite loop can occur when assert statements are bypassed leading to a possible DoS attack.
CVE-2025-69228
Possible DoS attack that can freeze the server by exhausting the memory using Request.post().
CVE-2025-69229
The handling of chunked messages that can result in an excessive blocking of CPU usage when receiving a large number of chunks.
CVE-2026-22815
Uncapped memory usage due to insufficient restrictions in header and trailer handling.
CVE-2026-34513
Excessive memory usage possibly resulting in a DoS due to an an unbounded DNS cache.
CVE-2026-34514
Header injection.
CVE-2026-34516
Potential DoS vulnerability caused by a response with an excessive number of multipart headers.
CVE-2026-34517
Possible excessive memory usage caused by some multipart form fields due to reading the entiry field into memory before checking client_max_size.
CVE-2026-34518
Leaking sensitive information by dropping the Cookie and the Proxy- Authorization headers When following redirects to a different origin.
CVE-2026-34519
Header injection via the reason parameter.
CVE-2026-34520
Possible security bypass by checking header values for control characters accordingly to RFC 9110.
CVE-2026-34525
Headers can be duplicated, e.g. the host header.
For Debian 11 bullseye, these problems have been fixed in version 3.7.4-1+deb11u2.
We recommend that you upgrade your python-aiohttp packages.
For the detailed security status of python-aiohttp please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python-aiohttp
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: This is a digitally signed message part
Tenable has extracted the preceding description block directly from the Debian security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the python-aiohttp-doc packages.See Also
http://www.nessus.org/u?4b73efdc
https://security-tracker.debian.org/tracker/CVE-2025-53643
https://security-tracker.debian.org/tracker/CVE-2025-69224
https://security-tracker.debian.org/tracker/CVE-2025-69225
https://security-tracker.debian.org/tracker/CVE-2025-69226
https://security-tracker.debian.org/tracker/CVE-2025-69227
https://security-tracker.debian.org/tracker/CVE-2025-69228
https://security-tracker.debian.org/tracker/CVE-2025-69229
https://security-tracker.debian.org/tracker/CVE-2026-22815
https://security-tracker.debian.org/tracker/CVE-2026-34513
https://security-tracker.debian.org/tracker/CVE-2026-34514
https://security-tracker.debian.org/tracker/CVE-2026-34516
https://security-tracker.debian.org/tracker/CVE-2026-34517
https://security-tracker.debian.org/tracker/CVE-2026-34518
https://security-tracker.debian.org/tracker/CVE-2026-34519
https://security-tracker.debian.org/tracker/CVE-2026-34520
Plugin Details
Severity: High
ID: 318080
File Name: debian_DLA-4613.nasl
Version: 1.1
Type: Local
Agent: unix
Family: Debian Local Security Checks
Published: 6/1/2026
Updated: 6/1/2026
Supported Sensors: Nessus Agent, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: High
Base Score: 7.8
Temporal Score: 5.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N
CVSS Score Source: CVE-2025-53643
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS v4
Risk Factor: High
Base Score: 8.7
Threat Score: 6.6
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score Source: CVE-2026-34516
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:python-aiohttp-doc, p-cpe:/a:debian:debian_linux:python3-aiohttp-dbg, p-cpe:/a:debian:debian_linux:python3-aiohttp, cpe:/o:debian:debian_linux:11.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 6/1/2026
Vulnerability Publication Date: 7/14/2025
Reference Information
CVE: CVE-2025-53643, CVE-2025-69224, CVE-2025-69225, CVE-2025-69226, CVE-2025-69227, CVE-2025-69228, CVE-2025-69229, CVE-2026-22815, CVE-2026-34513, CVE-2026-34514, CVE-2026-34516, CVE-2026-34517, CVE-2026-34518, CVE-2026-34519, CVE-2026-34520, CVE-2026-34525