Path Traversal in Aio-libs Aiohttp

CVE-2025-69226

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (16.8th percentile) — read the EPSS interpretation.

Affected products

Aio-libs Aiohttp — versions < 3.13.3

Weakness classification (CWE)

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76 (x_refsource_CONFIRM)
https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e (x_refsource_MISC)