282 matches found
CVE-2025-69226 AIOHTTP allows for a brute-force leak of internal static filepath components
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...
CVE-2025-69226 AIOHTTP allows for a brute-force leak of internal static filepath components
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses...
CVE-2025-69226
CVE-2025-69226 affects AIOHTTP (async HTTP client/server for asyncio) where versions 3.13.2 and below leak information about absolute path components via the static file path normalization logic when using web.static(). This can enable an attacker to determine path components; the issue is fixed ...
CVE-2025-66518 Apache Kyuubi: Unauthorized directory access due to missing path normalization
Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade t...
CVE-2025-66518
Apache Kyuubi Server 1.6.0–1.10.2 is affected by a path traversal/unauthorized local-file access vulnerability where an attacker able to reach the Kyuubi frontend could bypass the kyuubi.session.local.dir.allow.list. Root cause involves insufficient path normalization, permitting access to local ...
PT-2026-1351
Name of the Vulnerable Software and Affected Versions AIOHTTP versions 3.13.2 and below Description AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, has an issue where versions 3.13.2 and below allow an attacker to determine the existence of absolute path components...
aiohttp 信息泄露漏洞
aiohttp is an open source asynchronous HTTP client/server framework for asyncio and Python from aio-libs. An information disclosure vulnerability exists in aiohttp 3.13.2 and earlier versions, which stems from path normalization logic that may disclose absolute path component information,...
CVE-2025-66905
The Takes web framework's TkFiles take thru 2.0-SNAPSHOT fails to canonicalize HTTP request paths before resolving them against the filesystem. A remote attacker can include ../ sequences in the request path to escape the configured base directory and read arbitrary files from the host system...
Langflow 安全漏洞
Langflow is a visualization framework for building multi-agent and RAG applications from the Langflow open source. A security vulnerability exists in Langflow versions prior to 1.7.0 that stems from a failure to restrict or normalize file paths, which could lead to arbitrary file creation or...
GHSA-X732-6J76-QMHM Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits
Summary An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs e.g., by collapsing multiple slashes, this can allow bypasses of disabledPaths and path-based rate limits. Details Better Auth...
Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits
Summary An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs e.g., by collapsing multiple slashes, this can allow bypasses of disabledPaths and path-based rate limits. Details Better Auth...
GO-2025-4206 Path Normalization Bypass in Traefik Router + Middleware Rules in github.com/traefik/traefik
Path Normalization Bypass in Traefik Router + Middleware Rules in github.com/traefik/traefik...
curl: Denial of Service (DoS) vulnerability in dedotdotify() URL path normalization
Summary A Denial of Service DoS vulnerability exists in the dedotdotify function in lib/urlapi.c that can cause excessive CPU consumption due to On² time complexity when processing URLs with malicious path patterns containing many ../ sequences. Affected Component - Component: libcurl URL API -...
SUSE CVE-2025-66490
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...
CVE-2025-66490
CVE-2025-66490 affects Traefik, where versions prior to 2.11.32 and 2.11.31–3.6.2 could bypass path normalization when using PathPrefix, Path, or PathRegex matchers. Under path-based routing, requests containing URL-encoded restricted characters (/, , Null, ;, ?, #) may bypass the middleware chai...
EUVD-2025-201731
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...
CVE-2025-66490 Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...
CVE-2025-66490
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...
CVE-2025-66490 Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...
CVE-2025-66490 Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...