UNIX Symbolic Link (Symlink) Following Affecting aiohttp package, versions [,3.10.2)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-AIOHTTP-7675597
  • published11 Aug 2024
  • disclosed9 Aug 2024
  • creditsteverep

Introduced: 9 Aug 2024

CVE-2024-42367  (opens in a new tab)
CWE-61  (opens in a new tab)

How to fix?

Upgrade aiohttp to version 3.10.2 or higher.

Overview

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the FileResponse class due to improper validation for compressed variants. An attacker can access files outside the intended directory by manipulating symbolic links to point to restricted areas by performing Path.stat() and Path.open() to send the file.

Note

This vulnerability impacts servers with static routes that contain compressed variants as symbolic links pointing outside the root directory or that permit users to upload or create such links.

CVSS Scores

version 4.0
version 3.1