Steverep

**Name of the Vulnerable Software and Affected Versions** aiohttp versions prior to 3.10.2 **Description** The issue is related to path traversal outside the root directory in static routes containing files with compressed variants (`.gz` or `.br` extension) when these variants are symbolic links. The server normally protects against such traversal when `follow symlinks=False` (default) by resolving the requested URL to an absolute path and checking it relative to the root. However, when looking for compressed variants in the `FileResponse` class, these checks are not performed, and symbolic links are automatically followed during `Path.stat()` and `Path.open()` operations to send the file. **Recommendations** For aiohttp versions prior to 3.10.2, update to version 3.10.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of compressed variants in static routes or restricting access to the `FileResponse` class until a patch is applied. Additionally, ensure that `follow symlinks=False` to minimize the risk of path traversal outside the root directory.