CVE-2024-23334
Published: 29 January 2024
Summary
CVE-2024-23334 is a medium-severity Path Traversal (CWE-22) vulnerability in Aiohttp Aiohttp. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
aiohttp is an asynchronous HTTP client and server framework for Python and asyncio. The vulnerability is a path traversal flaw (CWE-22) that occurs when the framework is used as a web server and static routes are configured with the follow_symlinks option set to True. In this configuration, aiohttp performs no validation to ensure that requested files remain inside the designated static root directory, allowing access to arbitrary files on the underlying filesystem even in the absence of symbolic links. The issue affects all versions prior to 3.9.2 and carries a CVSS 3.1 score of 5.9.
An unauthenticated remote attacker can exploit the flaw over the network by sending crafted requests to a static file handler. Successful exploitation results in disclosure of sensitive files outside the intended web root, with high impact to confidentiality but no direct effect on integrity or availability. The attack requires the server to have explicitly enabled follow_symlinks and does not rely on the presence of symlinks.
The official GitHub security advisory and the fixing commit in version 3.9.2 recommend disabling follow_symlinks or placing aiohttp behind a reverse proxy that performs its own path validation. Fedora has also published updated packages that incorporate the fix.
The associated EPSS score remains high and stable near 0.94 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0001
Vulnerability details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used…
more
to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.