CVE-2024-42367
📋 TL;DR
This vulnerability in aiohttp allows attackers to perform path traversal attacks when static routes contain compressed file variants (.gz or .br) that are symbolic links. It affects aiohttp servers using static file serving with compressed variants, potentially allowing unauthorized file access outside the designated root directory. Users running aiohttp 3.10.x versions before 3.10.2 are affected.
💻 Affected Systems
- aiohttp
📦 What is this software?
Aiohttp by Aiohttp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files outside the web root directory, potentially accessing configuration files, credentials, or other sensitive system data.
Likely Case
Limited file disclosure from directories adjacent to the web root, depending on server configuration and symbolic link placement.
If Mitigated
No impact if follow_symlinks=False (default) and no compressed variant symbolic links exist in static directories.
🎯 Exploit Status
Exploitation requires specific server configuration with symbolic links to compressed variants and knowledge of path traversal techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.10.2
Vendor Advisory: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
Restart Required: Yes
Instructions:
1. Upgrade aiohttp to version 3.10.2 or later using pip: pip install --upgrade aiohttp==3.10.2
2. Restart all aiohttp server processes
3. Verify the upgrade with: python -c "import aiohttp; print(aiohttp.__version__)"
🔧 Temporary Workarounds
Disable compressed variant support
linuxRemove or disable .gz and .br compressed files from static directories to prevent exploitation.
find /path/to/static -name "*.gz" -type l -delete
find /path/to/static -name "*.br" -type l -delete
Set follow_symlinks=False explicitly
allEnsure static routes are configured with follow_symlinks=False (already default but can be enforced).
# In aiohttp app setup: app.router.add_static('/static', 'path/to/static', follow_symlinks=False)
🧯 If You Can't Patch
- Remove all symbolic links from static directories serving compressed variants
- Implement web application firewall rules to block path traversal patterns in URLs
🔍 How to Verify
Check if Vulnerable:
Check aiohttp version and inspect static directories for symbolic links to .gz or .br filesCheck Version:
python -c "import aiohttp; print(aiohttp.__version__)"Verify Fix Applied:
Verify aiohttp version is 3.10.2 or higher and test path traversal attempts return appropriate errors📡 Detection & Monitoring
Log Indicators:
- HTTP requests with ../ patterns targeting .gz or .br files
- 404 errors for compressed files outside normal paths
- Unusual file access patterns in static directories
Network Indicators:
- HTTP requests containing path traversal sequences with .gz or .br extensions
- Unusual file downloads from static routes
SIEM Query:
web_access_logs WHERE url CONTAINS '../' AND (url ENDS WITH '.gz' OR url ENDS WITH '.br')🔗 References
- https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177
- https://github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674
- https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
- https://github.com/aio-libs/aiohttp/pull/8653
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
