CVE-2024-23334
📋 TL;DR
This CVE describes a directory traversal vulnerability in aiohttp when using static routes with 'follow_symlinks=True'. Attackers can access arbitrary files outside the configured static directory, potentially exposing sensitive system files. This affects any Python application using aiohttp as a web server with static file serving enabled.
💻 Affected Systems
- aiohttp
📦 What is this software?
Aiohttp by Aiohttp
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via reading sensitive files like /etc/passwd, SSH keys, configuration files, or database credentials, leading to privilege escalation or data exfiltration.
Likely Case
Unauthorized access to application source code, configuration files, or other sensitive files within the server's filesystem, potentially enabling further attacks.
If Mitigated
No file access outside the configured static directory; requests for external files return 404 errors or are properly blocked.
🎯 Exploit Status
Exploitation requires knowledge of the static route endpoint and ability to craft directory traversal payloads. Public PoC available in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.2
Vendor Advisory: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
Restart Required: Yes
Instructions:
1. Upgrade aiohttp to version 3.9.2 or later using pip: 'pip install --upgrade aiohttp>=3.9.2'. 2. Restart your Python application/service. 3. Verify the version with 'pip show aiohttp'.
🔧 Temporary Workarounds
Disable follow_symlinks
allSet follow_symlinks=False in static route configuration to prevent directory traversal via symlinks
In your aiohttp app configuration, ensure: app.router.add_static('/static', 'path/to/static', follow_symlinks=False)
Use reverse proxy
allServe static files through a reverse proxy like nginx or Apache instead of aiohttp's static route handler
Configure nginx: location /static { alias /path/to/static; }
Disable aiohttp static routes
🧯 If You Can't Patch
- Disable static file serving in aiohttp completely and use alternative static file serving methods
- Implement strict web application firewall (WAF) rules to block directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check if using aiohttp <3.9.2 with static routes and follow_symlinks=True. Test by attempting to access files outside static directory via crafted URLs.Check Version:
pip show aiohttp | grep VersionVerify Fix Applied:
After upgrading to 3.9.2+, test that directory traversal attempts return 404 errors or are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in aiohttp logs
- Multiple 404 errors for directory traversal attempts
- Access to sensitive file paths via static routes
Network Indicators:
- HTTP requests containing '../' patterns to static endpoints
- Unusual file extensions or paths in static route requests
SIEM Query:
source="aiohttp" AND (url="*../*" OR status=404) AND path="*/static/*"🔗 References
- https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
- https://github.com/aio-libs/aiohttp/pull/8079
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
- https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
- https://github.com/aio-libs/aiohttp/pull/8079
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
- https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
- https://www.exploit-db.com/exploits/52474
