AIOHTTP vulnerable to brute-force leak of internal static ﬁle path components

GHSA-54jq-c3m8-4m76 · CVE-2025-69226

Published Jan 5, 2026 · Modified Feb 4, 2026

Description

Summary

Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.

Impact

If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.

Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-69226
WEB https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
PACKAGE https://github.com/aio-libs/aiohttp

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes