⚠ Exploited in the wild

Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2024-23334 — Path Traversal in Aiohttp

CWE-22 — Path Traversal14 documents13 sources

Severity

7.5HIGHNVD

CNA5.9VulnCheck5.9

EPSS

93.5%

top 0.18%

CISA KEV

Not in KEV

Exploit

Exploited in wild

Active exploitation observed

Affected products

Aio-libs Aiohttp Aiohttp Fedoraproject Fedora

Timeline

PublishedJan 29

Latest updateFeb 4

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vul…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDaiohttp/aiohttp1.0.5 — 3.9.2

▶PyPIaiohttp/aiohttp1.0.5 — 3.9.2

▶CVEListV5aio-libs/aiohttp< 3.9.2

Also affects: Fedora 39

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

aiohttp is vulnerable to directory traversal↗2024-01-29

▶

OSV

aiohttp is vulnerable to directory traversal↗2024-01-29

▶

CVEList

aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal↗2024-01-29

▶

OSV

CVE-2024-23334: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python↗2024-01-29

▶

VulnCheck

aiohttp aiohttp Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')↗2024

▶

💥Exploits & PoCs

Exploit-DB

aiohttp 3.9.1 - directory traversal PoC↗2026-02-04

▶

Nuclei

aiohttp - Directory Traversal

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Vulnerable aiohttp Server Version Response (CVE-2024-23334)↗2024-09-24

▶

📋Vendor Advisories

Ubuntu

AIOHTTP vulnerability↗2024-09-05

▶

Red Hat

aiohttp: follow_symlinks directory traversal vulnerability↗2024-01-30

▶

Debian

CVE-2024-23334: python-aiohttp - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. ...↗2024

▶

🕵️Threat Intelligence

Bleepingcomputer

Hackers exploit Aiohttp bug to find vulnerable networks↗2024-03-16

▶

📄Research Papers

CTF

Chemistry / README↗

▶