CVE-2025-69226
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-69226
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2025-69226.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 3.13.3-1 |
| debian | sid | fixed | 3.13.3-1 |
| debian | trixie | fixed | 3.11.16-1+deb13u1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | aiohttp | <3.13.3 | 3.13.3 |
References
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76
- https://nvd.nist.gov/vuln/detail/CVE-2025-69226
- https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
- https://github.com/aio-libs/aiohttp
- https://www.suse.com/security/cve/CVE-2025-69226.html
- https://security-tracker.debian.org/tracker/CVE-2025-69226
Verify integrity in audit chain (admin only). AS-IS.