CVE-2025-69226 — Path Traversal in Aiohttp

CWE-22 — Path Traversal CWE-200 — Sensitive Information Exposure CWE-202 — Exposure of Sensitive Information Through Data Queries9 documents8 sources

Severity

6.3MEDIUMNVD

EPSS

0.1%

top 80.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aio-libs Aiohttp Aiohttp

Timeline

PublishedJan 5

Latest updateFeb 13

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDaiohttp/aiohttp< 3.13.3

▶PyPIaiohttp/aiohttp< 3.13.3

▶CVEListV5aio-libs/aiohttp< 3.13.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

AIOHTTP vulnerable to brute-force leak of internal static ﬁle path components↗2026-01-05

▶

OSV

CVE-2025-69226: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python↗2026-01-05

▶

CVEList

AIOHTTP allows for a brute-force leak of internal static ﬁlepath components↗2026-01-05

▶

OSV

AIOHTTP vulnerable to brute-force leak of internal static ﬁle path components↗2026-01-05

▶

📋Vendor Advisories

Ubuntu

AIOHTTP vulnerabilities↗2026-02-13

▶

Red Hat

aiohttp: aiohttp: Information disclosure of path components via static file path normalization↗2026-01-05

▶

Debian

CVE-2025-69226: python-aiohttp - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-69226 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶