CVE-2024-23334 in aiohttpinfo

Summary

by MITRE • 01/30/2024

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/07/2026

The vulnerability described in CVE-2024-23334 affects the aiohttp asynchronous HTTP framework for Python, specifically when used as a web server with static file serving capabilities. This issue stems from improper validation of file access when symbolic links are enabled, creating a directory traversal vulnerability that can be exploited to access arbitrary files on the system. The vulnerability exists in the static file handling mechanism where the framework fails to properly constrain file access even when the root directory is specified, leading to potential information disclosure and unauthorized system access. The flaw is particularly concerning because it can be exploited regardless of whether symbolic links are actually present in the system, making it a broad security risk for any application using aiohttp's static file serving functionality.

The technical implementation of this vulnerability occurs within aiohttp's static file routing mechanism when the follow_symlinks parameter is set to True. This configuration allows the framework to follow symbolic links that may point outside the designated static root directory, but lacks proper boundary checking to ensure that file access remains confined to the intended directory tree. When follow_symlinks is enabled, the framework does not validate whether a requested file path remains within the root directory boundaries, creating a path traversal condition that can be exploited by malicious users to access files they should not be able to reach. This behavior violates the principle of least privilege and can potentially expose sensitive system files, configuration data, or application secrets to unauthorized parties. The vulnerability is classified under CWE-22, which specifically addresses path traversal or directory traversal flaws in software systems.

The operational impact of this vulnerability is significant for organizations using aiohttp as their web server framework, particularly in production environments where static file serving is implemented. Attackers can leverage this vulnerability to access system files, application configuration files, database connection strings, API keys, or other sensitive data that may be stored outside the intended static file directories. The risk is compounded by the fact that the vulnerability can be exploited even without the presence of symbolic links, making it more difficult to detect and prevent. This type of vulnerability aligns with ATT&CK technique T1083, which covers the discovery of system information through directory listing and file access methods. Organizations may experience data breaches, compliance violations, and potential system compromise if this vulnerability is exploited, especially in environments where applications are not properly configured with security hardening measures.

The recommended mitigations for CVE-2024-23334 include disabling the follow_symlinks option when serving static files, which prevents the framework from following symbolic links that could lead outside the designated root directory. Additionally, implementing a reverse proxy configuration with proper access controls and file system restrictions provides an additional layer of protection. Organizations should also ensure they are using aiohttp version 3.9.2 or later, which includes the fix for this vulnerability. Security best practices recommend implementing strict file access controls, regular security audits of web server configurations, and monitoring for suspicious file access patterns. The vulnerability demonstrates the importance of proper input validation and access control mechanisms in web frameworks, particularly when dealing with file system operations. Organizations should also consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts targeting this type of directory traversal vulnerability.

Responsible

GitHub, Inc.

Reservation

01/15/2024

Disclosure

01/30/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.76875

KEV

no

Activities

very low

Campaigns

1 (confirmed)

Sources

Want to know what is going to be exploited?

We predict KEV entries!