Low severityOSV Advisory· Published Jan 5, 2026· Updated Jan 6, 2026
AIOHTTP allows for a brute-force leak of internal static filepath components
CVE-2025-69226
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.13.3 | 3.13.3 |
Affected products
55- osv-coords54 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-2-bitnami-compatpkg:apk/chainguard/airflow-2-compatpkg:apk/chainguard/airflow-2-iamguarded-compatpkg:apk/chainguard/airflow-3pkg:apk/chainguard/apache-beam-python-3.11-sdkpkg:apk/chainguard/authentikpkg:apk/chainguard/authentik-go-serverpkg:apk/chainguard/awxpkg:apk/chainguard/checkovpkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/gitlab-toolbox-ce-18.5pkg:apk/chainguard/gitlab-toolbox-ce-18.6pkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/open-webuipkg:apk/chainguard/py3.10-vllm-cuda-12.4pkg:apk/chainguard/py3.12-vllm-cuda-12.4pkg:apk/chainguard/py3.13-scanner-test-libraries-aiohttppkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-cassandra-medusa-compatpkg:apk/chainguard/request-1276pkg:apk/wolfi/airflow-3pkg:apk/wolfi/checkovpkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/open-webuipkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/py3-cassandra-medusa-compatpkg:pypi/aiohttppkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Brotli&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP7pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python-Brotli&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-Brotli&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.11.0-r19+ 53 more
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 3.2.0-r0
- (no CPE)range: < 2.70.0-r1
- (no CPE)range: < 2025.10.3-r3
- (no CPE)range: < 2025.10.3-r3
- (no CPE)range: < 24.6.1-r23
- (no CPE)range: < 3.2.499-r0
- (no CPE)range: < 2025.7.0-r4
- (no CPE)range: < 18.5.5-r0
- (no CPE)range: < 18.6.3-r0
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 0.6.43-r1
- (no CPE)range: < 0.16.0-r1
- (no CPE)range: < 0.16.0-r1
- (no CPE)range: < 0.0.1-r3
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.27.0-r1
- (no CPE)range: < 3.2.0-r0
- (no CPE)range: < 3.2.499-r0
- (no CPE)range: < 2025.7.0-r4
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 0.6.43-r1
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 3.13.3
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.11.16-160000.3.1
- (no CPE)range: < 3.13.3-1.1
- (no CPE)range: < 1.1.0-160000.3.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.6.0-150100.3.32.1
- (no CPE)range: < 3.6.0-150100.3.32.1
- (no CPE)range: < 3.6.0-150100.3.32.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.11.16-160000.3.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.9.3-150400.10.36.1
- (no CPE)range: < 3.11.16-160000.3.1
- (no CPE)range: < 1.1.0-160000.3.1
- (no CPE)range: < 1.1.0-160000.3.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-54jq-c3m8-4m76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69226ghsaADVISORY
- github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711eghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.