CVE-2024-39903 – This Local File Inclusion vulnerability in Sola... (How to Fix)

📋 TL;DR

This Local File Inclusion vulnerability in Solara allows attackers to read arbitrary files on the server by manipulating URI fragments with directory traversal sequences like '../'. It affects all Solara deployments running versions before 1.35.1 that serve static files.

💻 Affected Systems

Products:

widgetti/solara

Versions: All versions < 1.35.1

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any Solara deployment serving static files. The vulnerability is in the static file serving component.

📦 What is this software?

Solara by Widgetti

View all CVEs affecting Solara →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like SSH keys, configuration files with credentials, or database connection strings, potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive application files, configuration data, or user data stored on the server filesystem.

🟢

If Mitigated

Limited impact with proper file permissions and network segmentation, though sensitive files could still be exposed if accessible to the application user.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with crafted URI fragments. No authentication or special privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.35.1

Vendor Advisory: https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438w

Restart Required: Yes

Instructions:

1. Update Solara: pip install --upgrade solara==1.35.1
2. Restart all Solara applications and services
3. Verify the version with: python -c "import solara; print(solara.__version__)"

🔧 Temporary Workarounds

Disable static file serving

all

If static file serving is not required, disable it in Solara configuration

Configure Solara to not serve static files through application settings

Web server proxy filtering

all

Configure reverse proxy (nginx, Apache) to filter or block requests with '../' sequences

Add location block in nginx: location ~ \.\./ { deny all; }
Add Apache rule: RewriteRule .*\.\./.* - [F]

🧯 If You Can't Patch

Implement strict file system permissions to limit what files the Solara process user can read
Deploy network segmentation to isolate Solara instances from sensitive systems and data

🔍 How to Verify

Check if Vulnerable:

Check Solara version: python -c "import solara; print(solara.__version__)" - if version < 1.35.1, system is vulnerable

Check Version:

python -c "import solara; print(solara.__version__)"

Verify Fix Applied:

After patching, test with a controlled request containing '../' in URI fragment to ensure it's blocked

📡 Detection & Monitoring

Log Indicators:

HTTP requests with '../' sequences in URI fragments
Multiple failed file access attempts from single IP

Network Indicators:

HTTP GET requests with unusual fragment patterns
Rapid sequential requests for different file paths

SIEM Query:

source="web_server" AND (uri_fragment="*../*" OR uri_fragment="*..\\*" OR uri_fragment="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2024-39903

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-22

Published: July 12, 2024

Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39903, you might also want to check these: