CVE-2023-29159 – A directory traversal vulnerability in Starlett... (How to Fix)

📋 TL;DR

A directory traversal vulnerability in Starlette web framework allows unauthenticated remote attackers to access files outside the intended web root directory. This affects web services built using Starlette versions 0.13.5 through 0.26.1. Attackers can potentially view sensitive files like configuration files, source code, or credentials.

💻 Affected Systems

Products:

Starlette

Versions: 0.13.5 through 0.26.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Starlette's static file serving functionality. Applications not serving static files are not vulnerable.

📦 What is this software?

Starlette by Encode

View all CVEs affecting Starlette →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through exposure of sensitive files like SSH keys, database credentials, or configuration secrets leading to data breach or further system access.

🟠

Likely Case

Exfiltration of sensitive configuration files, source code, or environment variables containing API keys and credentials.

🟢

If Mitigated

Limited impact if proper file permissions restrict access to sensitive files and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to static file endpoints. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.27.0

Vendor Advisory: https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px

Restart Required: Yes

Instructions:

1. Update Starlette to version 0.27.0 or later using pip: pip install starlette>=0.27.0
2. Restart your application server
3. Verify the update with: pip show starlette

🔧 Temporary Workarounds

Disable static file serving

all

Remove or disable Starlette's static file serving functionality if not required

Implement middleware validation

all

Add custom middleware to validate and sanitize file paths before processing

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block directory traversal patterns like '../' in URLs
Run application with minimal file system permissions and isolate static files in dedicated directory with restricted access

🔍 How to Verify

Check if Vulnerable:

Check Starlette version: pip show starlette | grep Version. If version is between 0.13.5 and 0.26.1 inclusive, and application serves static files, it is vulnerable.

Check Version:

pip show starlette | grep Version

Verify Fix Applied:

Verify Starlette version is 0.27.0 or later: pip show starlette | grep Version

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' patterns in URL paths
Unusual file access patterns to non-static directories
404 errors for attempted directory traversal

Network Indicators:

HTTP requests with encoded directory traversal sequences (%2e%2e%2f, ..%2f)
Requests to static endpoints with unusual path depths

SIEM Query:

source="web_logs" AND (url="*../*" OR url="*..%2f*" OR url="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2023-29159

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: June 1, 2023

Last Updated: January 9, 2025

🔗 References

https://github.com/encode/starlette/releases/tag/0.27.0 Release Notes
https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px Exploit,Vendor Advisory
https://jvn.jp/en/jp/JVN95981715/ Third Party Advisory
https://github.com/encode/starlette/releases/tag/0.27.0 Release Notes
https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px Exploit,Vendor Advisory
https://jvn.jp/en/jp/JVN95981715/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29159, you might also want to check these: