VYPR
Low severityOSV Advisory· Published Jan 5, 2026· Updated Jan 6, 2026

AIOHTTP allows for a brute-force leak of internal static filepath components

CVE-2025-69226

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aiohttpPyPI
< 3.13.33.13.3

Affected products

55

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.