CVE-2025-69226
aiohttp Static Resource Path Traversal and Existence Oracle
Alon Barad
Software EngineerFeb 28, 2026·5 min read·47 visits
Executive Summary (TL;DR)
aiohttp <= 3.13.2 allows attackers to map the filesystem via `web.static()` routes. By sending path traversal requests, attackers can distinguish between existing files (403 Forbidden) and missing files (404 Not Found) outside the static root. Fixed in 3.13.3.
A path traversal vulnerability exists in aiohttp versions 3.13.2 and earlier within the `web.static()` route definition. Due to improper path normalization during the request routing phase, the application fails to correctly filter requests containing traversal sequences (e.g., `../`). While the underlying file handler prevents reading content outside the static root, it returns distinct HTTP status codes for existing versus non-existing files. This discrepancy creates a side-channel oracle, allowing unauthenticated remote attackers to enumerate the server's filesystem structure.
Vulnerability Overview
CVE-2025-69226 affects aiohttp, a widely used asynchronous HTTP client/server framework for Python. The vulnerability resides specifically in the UrlDispatcher.add_static method and the associated StaticResource class, which are responsible for serving static files from a designated directory.
In versions 3.13.2 and prior, the routing logic allows requests with traversal sequences (e.g., /static/../../etc/passwd) to pass the initial URL matching phase. Although the subsequent file handling logic blocks access to the file content, it inadvertently leaks information about the file's existence. When an attacker requests a file that exists outside the static root, the server responds with 403 Forbidden. Conversely, if the file does not exist, the server responds with 404 Not Found.
This behavior classifies the issue as an Existence Oracle (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) facilitated by Path Traversal (CWE-22). While it does not permit arbitrary file read (Confidentiality impact is Low), it enables attackers to brute-force directory structures and identify the presence of sensitive files, config files, or logs on the host system.
Root Cause Analysis
The root cause lies in a logical discrepancy between the routing phase (resolve) and the handling phase (_handle) of a request.
The StaticResource class in aiohttp determines if a request matches a defined static route. In vulnerable versions, the resolve method simply checked if the raw requested URL path started with the configured static prefix (e.g., /static/). It did not normalize the path before this check. Consequently, a request for /static/../secret would satisfy the prefix check (/static/) and be routed to the static file handler.
Once the request reached the handler, aiohttp performed security checks to ensure the resolved path did not escape the root directory. If the path resolved to a file outside the root, the handler raised an HTTPForbidden (403) exception. If the path did not resolve to a file at all, the standard behavior for a static handler is to return HTTPNotFound (404).
This separation of concerns created the oracle: the router was too permissive, accepting traversal paths that the handler would later reject for security reasons. The difference in rejection methods (403 for security violation vs. 404 for missing file) provided the side channel.
Code Analysis
The fix was implemented in aiohttp/web_urldispatcher.py by introducing path normalization directly into the routing logic. This ensures that any path attempting to traverse out of the static prefix is detected before it is matched to the handler.
Below is the analysis of the patch in StaticResource.resolve:
# aiohttp/web_urldispatcher.py
async def resolve(self, request: Request) -> _Resolve:
path = request.rel_url.path_safe
method = request.method
# [PATCH] Normalization added here
# We normalise here to avoid matches that traverse below the static root.
# e.g. /static/../../../../home/user/webapp/static/
norm_path = os.path.normpath(path)
if IS_WINDOWS:
norm_path = norm_path.replace("\\", "/")
# [PATCH] Check against normalized path instead of raw path
# If the normalized path has traversed out (e.g., becomes "/etc/passwd"),
# it will no longer start with "/static/", failing this check.
if not norm_path.startswith(self._prefix2) and norm_path != self._prefix:
return None, set()
# ... rest of resolution logicBy normalizing path to norm_path using os.path.normpath, sequences like /static/../ are resolved immediately. If the resulting path does not start with the required prefix, the router returns None. This causes the server to return a 404 Not Found for the URL, making the response indistinguishable from a request for a non-existent page.
Exploitation Mechanics
Exploiting this vulnerability requires sending HTTP GET requests to a known static file endpoint. The attacker does not need authentication. The goal is to identify if specific files exist on the server.
Scenario: A server has static files mapped to /static/.
Step 1: Probe for existing system file
The attacker sends: GET /static/../../../../etc/passwd HTTP/1.1
- Vulnerable Server: Returns 403 Forbidden. This confirms
/etc/passwdexists. - Patched Server: Returns 404 Not Found. The server denies knowledge of this path.
Step 2: Probe for non-existent file
The attacker sends: GET /static/../../../../etc/doesnotexist HTTP/1.1
- Vulnerable Server: Returns 404 Not Found.
- Patched Server: Returns 404 Not Found.
By automating these requests with a wordlist of common files (e.g., config files, source code, SSH keys), an attacker can map the directory structure. This information is valuable for chaining attacks, such as identifying the location of a configuration file to target with a separate local file inclusion (LFI) vulnerability.
Remediation & Mitigation
The primary remediation is to upgrade the aiohttp library to version 3.13.3 or later. This version includes the patch that enforces path normalization within the StaticResource.resolve method.
Installation:
pip install aiohttp>=3.13.3Configuration Best Practices:
The aiohttp documentation and security advisories consistently recommend against using web.static() for serving static files in production environments. This feature is intended for development convenience.
For production deployments, static files should be served by a dedicated reverse proxy (such as Nginx or Apache) or a Content Delivery Network (CDN). These specialized servers have more robust, battle-tested path handling logic and performance optimizations. Moving static file serving to a reverse proxy effectively mitigates this class of vulnerability within the application layer.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NEPSS Probability
0.06%
Top 81% most exploited
Affected Systems
aiohttp <= 3.13.2
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
aiohttp aio-libs | <= 3.13.2 | 3.13.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 |
| CWE Name | Improper Limitation of a Pathname to a Restricted Directory |
| CVSS v3.1 | 5.3 (Medium) |
| Attack Vector | Network |
| Impact | Information Disclosure (Existence Oracle) |
| EPSS Score | 0.00061 (Low) |
MITRE ATT&CK Mapping
CWE-22
Path Traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Patch committed to main branch
2026-01-03
CVE-2025-69226 Published
2026-01-05
Version 3.13.3 Released
2026-01-05
