Plataforma
python
Componente
aiohttp
Corrigido em
3.13.4
3.13.3
CVE-2025-69226 describes a path disclosure vulnerability in aiohttp, a Python 3.6+ HTTP client/server framework. While not a direct path traversal, it allows attackers to determine the existence of absolute path components within the application if web.static() is used. This vulnerability affects versions of aiohttp up to and including 3.9.5, and a fix is available in version 3.13.3.
The primary impact of CVE-2025-69226 stems from the ability for an attacker to enumerate file paths within the application's static file directory. This information, while not granting direct access to files, can be valuable for reconnaissance. An attacker could use this knowledge to identify sensitive files, understand the application's directory structure, and potentially plan further attacks. The vulnerability is specifically tied to the use of web.static(), which is discouraged for production deployments due to inherent security risks. The disclosure of path components could lead to information leakage and facilitate more targeted attacks.
CVE-2025-69226 is not currently listed on the CISA KEV catalog. The EPSS score is likely low due to the limited impact and the requirement of using the discouraged web.static() function. Public proof-of-concept (PoC) code is not widely available as of the publication date. The vulnerability was publicly disclosed on January 5, 2026, with a patch released on the same date.
Applications utilizing aiohttp version 3.9.5 or earlier, particularly those employing the web.static() function for serving static files, are at risk. Python developers building web applications and relying on aiohttp for HTTP handling should prioritize upgrading their dependencies.
• python / server:
import aiohttp
print(aiohttp.__version__)• python / supply-chain:
Check project dependencies for aiohttp versions <= 3.9.5 using pip freeze | grep aiohttp.
• generic web:
Inspect application logs for requests targeting static files with unusual path parameters.
disclosure
patch
Status do Exploit
EPSS
0.06% (percentil 20%)
CISA SSVC
The recommended mitigation for CVE-2025-69226 is to upgrade to aiohttp version 3.13.3 or later. If upgrading is not immediately feasible, avoid using web.static() in production environments. Consider implementing a Web Application Firewall (WAF) with rules to prevent path manipulation attempts. While a direct detection signature is not readily available, monitor application logs for unusual path requests or attempts to access static files outside of expected patterns. The fix involves improved path normalization to prevent the disclosure of absolute path components.
Actualice la biblioteca AIOHTTP a la versión 3.13.3 o superior. Esto corrige la vulnerabilidad de fuga de información de la ruta de archivos estáticos. Puede actualizar usando pip: `pip install aiohttp==3.13.3`.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-69226 is a LOW severity vulnerability in aiohttp affecting versions up to 3.9.5. It allows attackers to discover the existence of path components if web.static() is used.
You are affected if you are using aiohttp version 3.9.5 or earlier, especially if your application uses the web.static() function.
Upgrade to aiohttp version 3.13.3 or later. Avoid using web.static() in production environments.
There are no confirmed reports of active exploitation as of the publication date, but vigilance is still advised.
Refer to the aiohttp GitHub repository commit: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.