6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-69226

CVE-2025-69226: AIOHTTP allows for a brute-force leak of internal static ﬁlepath components

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-69226

CVE-2025-69226:

6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
aiohttp	pip	<= 3.13.2	3.13.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-69226, is an information disclosure flaw in aiohttp's static file handling. When an application uses web.static(), an attacker can craft URLs with path traversal characters (e.g., ../) to probe for the existence of files and directories on the server's filesystem, outside of the intended static directory. The vulnerability is not a full path traversal that allows reading arbitrary files, but rather a brute-force technique where the server's response (or timing) reveals whether a given path component exists.

The root cause is the improper validation of the request path in the aiohttp.web_urldispatcher.StaticResource.resolve function. It checked if the path started with the expected prefix without first normalizing it. This allowed traversal sequences to be present in the URL.

The patch addresses this by introducing os.path.normpath() to canonicalize the path before performing the prefix check. This ensures that any traversal sequences are resolved, and the final path is correctly validated to be within the static root, thus preventing the information leak. The _handle method was also changed to remove a redundant and insufficient check for absolute paths, consolidating the security logic within the resolve method.

Vulnerable functions

aiohttp.web_urldispatcher.StaticResource.resolve

aiohttp/web_urldispatcher.py

The vulnerability lies in the lack of path normalization before checking if the requested path is within the static directory. An attacker could use path traversal sequences (e.g., '..') to test for the existence of files and directories outside the intended static root. The server's response would differ depending on whether the path existed, leaking information about the server's file system structure. The patch introduces `os.path.normpath` to resolve the path before validation, preventing the traversal.

aiohttp.web_urldispatcher.StaticResource._handle

aiohttp/web_urldispatcher.py

This function processes the filename matched from the URL. The removed code was an incomplete check for absolute paths. While the primary vulnerability was in the `resolve` method, this function was part of the vulnerable request handling flow. The change is part of a larger fix to centralize path validation in the `resolve` method. The old logic could be bypassed, and its error response (`HTTPForbidden`) could contribute to the information leak.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-69226: AIOHTTP allows for a brute-force leak of internal static ﬁlepath components

CVE-2025-69226:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.3

6.3

Technical Details

Basic Information

Basic Information

CVE-2025-69226: AIOHTTP allows for a brute-force leak of internal static ﬁlepath components

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI