CVE-2024-42367

Advisory

Affected versions of aiohttp are vulnerable to Directory Traversal (CWE-22). This allows attackers to access sensitive files outside the intended directory by exploiting symbolic links with compressed file extensions. The vulnerability exists in the FileResponse class where stat() is used instead of lstat(), causing the server to follow symlinks when checking for compressed file variants. To mitigate, update aiohttp to include the fix or modify the code to use lstat() and ensure only regular files are served.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-jwhx-xcg6-8xhj
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
• https://github.com/aio-libs/aiohttp/pull/8653
• https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42367