CVE-2025-69226

MEDIUM

aiohttp < 3.13.3 - Path Traversal in Static File Path Normalization

Title source: llm

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

References (2)

Core 2

Core References

Vendor Advisory, Patch x_refsource_confirm

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76

Patch x_refsource_misc

https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0031

EPSS Percentile 22.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200 CWE-22

Status published

Products (2)

aiohttp/aiohttp < 3.13.3

pypi/aiohttp 0 - 3.13.3PyPI

Published Jan 05, 2026

Tracked Since Feb 18, 2026