Platform
python
Component
aiohttp
Fixed in
3.13.4
3.13.3
CVE-2025-69226 describes a path disclosure vulnerability in aiohttp, a Python 3.6+ HTTP client/server framework. While not a direct path traversal, it allows attackers to determine the existence of absolute path components within the application if web.static() is used. This vulnerability affects versions of aiohttp up to and including 3.9.5, and a fix is available in version 3.13.3.
The primary impact of CVE-2025-69226 stems from the ability for an attacker to enumerate file paths within the application's static file directory. This information, while not granting direct access to files, can be valuable for reconnaissance. An attacker could use this knowledge to identify sensitive files, understand the application's directory structure, and potentially plan further attacks. The vulnerability is specifically tied to the use of web.static(), which is discouraged for production deployments due to inherent security risks. The disclosure of path components could lead to information leakage and facilitate more targeted attacks.
CVE-2025-69226 is not currently listed on the CISA KEV catalog. The EPSS score is likely low due to the limited impact and the requirement of using the discouraged web.static() function. Public proof-of-concept (PoC) code is not widely available as of the publication date. The vulnerability was publicly disclosed on January 5, 2026, with a patch released on the same date.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
The recommended mitigation for CVE-2025-69226 is to upgrade to aiohttp version 3.13.3 or later. If upgrading is not immediately feasible, avoid using web.static() in production environments. Consider implementing a Web Application Firewall (WAF) with rules to prevent path manipulation attempts. While a direct detection signature is not readily available, monitor application logs for unusual path requests or attempts to access static files outside of expected patterns. The fix involves improved path normalization to prevent the disclosure of absolute path components.
Update the AIOHTTP library to version 3.13.3 or higher. This corrects the static file path information leak vulnerability. You can update using pip: `pip install aiohttp==3.13.3`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-69226 is a LOW severity vulnerability in aiohttp affecting versions up to 3.9.5. It allows attackers to discover the existence of path components if web.static() is used.
You are affected if you are using aiohttp version 3.9.5 or earlier, especially if your application uses the web.static() function.
Upgrade to aiohttp version 3.13.3 or later. Avoid using web.static() in production environments.
There are no confirmed reports of active exploitation as of the publication date, but vigilance is still advised.
Refer to the aiohttp GitHub repository commit: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.