Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

Related CPE's

a

aiohttp

aiohttp

Vulnerable

References

https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

Patch

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76

Vendor AdvisoryPatch

Weaknesses

[email protected]

Primary
CWE-22CWE-200

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-05T23:15:40.913Z

1 week ago

Last modified

2026-01-14T19:16:23.373Z

1 hour ago