CVE-2025-69226NVD

Vulnerability Summary

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

Severity Level

MEDIUM(6.3)

Published Date

Jan 5, 2026

Last Modified

Jan 14, 2026

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-22: Path Traversal ↗

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory.

CVSS v4.0 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

External References

https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76

Critical Alert 2 Active Exploits Detected Today

Critical Alert

CVE Watchtower

CVE-2025-69226NVD

Vulnerability Summary

External References