CVE-2024-42367 Overview
CVE-2024-42367 is a path traversal vulnerability affecting the aiohttp asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes containing files with compressed variants (.gz or .br extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links.
The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default) by resolving the requested URL to an absolute path and checking that path relative to the root. However, these security checks are not performed when looking for compressed variants in the FileResponse class. Symbolic links are then automatically followed when performing Path.stat() and Path.open() operations to send the file, enabling attackers to access files outside the intended root directory.
Critical Impact
Attackers can bypass static file serving protections to read sensitive files outside the web root directory by exploiting symbolic links in compressed file variants, potentially exposing configuration files, credentials, or other sensitive data.
Affected Products
- aiohttp versions 3.10.0 to 3.10.1 (3.10 branch prior to 3.10.2)
Discovery Timeline
- 2024-08-12 - CVE-2024-42367 published to NVD
- 2025-08-19 - Last updated in NVD database
Technical Details for CVE-2024-42367
Vulnerability Analysis
This path traversal vulnerability exists due to an inconsistency in how aiohttp handles security checks for static file serving versus compressed file variants. When a request is made for a static file, aiohttp properly validates that the resolved path remains within the configured root directory when follow_symlinks=False. However, when the framework searches for pre-compressed variants of the requested file (with .gz or .br extensions), it bypasses these path validation checks entirely.
The vulnerable code path is in the FileResponse class, specifically around line 177 of web_fileresponse.py. When the server checks for compressed variants, it constructs the path by simply appending .gz or .br to the original file path without performing the same symlink resolution and path containment checks that are applied to the original request.
Root Cause
The root cause is a missing security check in the compressed file variant lookup logic within the FileResponse class. While the URL dispatcher at web_urldispatcher.py line 674 properly validates paths against the root directory, this validation is not replicated when the FileResponse class subsequently checks for .gz or .br compressed variants of the file.
When the Path.stat() and Path.open() operations are called on these compressed variant paths, Python automatically follows any symbolic links encountered. This allows an attacker who can create a symbolic link file with a .gz or .br extension pointing outside the root directory to bypass the follow_symlinks=False protection.
Attack Vector
The attack requires an attacker to have the ability to create symbolic links within the static file directory (or have write access to place malicious symlinks). The attack proceeds as follows:
- An attacker creates a symbolic link with a .gz or .br extension that points to a sensitive file outside the web root (e.g., /etc/passwd)
- The attacker requests the original filename (without the compressed extension) via HTTP
- aiohttp validates the original request path correctly
- aiohttp then checks for compressed variants by appending .gz or .br to the path
- The compressed variant check finds the malicious symbolic link and follows it without path validation
- The contents of the sensitive file are returned to the attacker
This vulnerability is classified as CWE-61 (UNIX Symbolic Link Following), as the core issue stems from improper handling of symbolic links during file operations.
Detection Methods for CVE-2024-42367
Indicators of Compromise
- Unusual HTTP requests for static files that result in serving content from outside the configured static root directory
- Presence of unexpected symbolic links with .gz or .br extensions in static file directories
- Web server logs showing access to compressed file variants that don't correspond to legitimate compressed assets
- File access audit logs indicating reads of sensitive system files via the aiohttp process
Detection Strategies
- Implement file integrity monitoring on static file directories to detect creation of unauthorized symbolic links
- Monitor web server access logs for patterns of requests probing for compressed file variants
- Deploy application-level logging to track which files are actually being served by the FileResponse class
- Use security scanning tools to identify symbolic links in static content directories that point outside the web root
Monitoring Recommendations
- Enable comprehensive audit logging for file system operations performed by the aiohttp application process
- Configure alerts for any new symbolic link creation within static file serving directories
- Implement anomaly detection for requests that result in file access outside expected directories
- Regularly scan static content directories for suspicious symbolic links as part of security hygiene
How to Mitigate CVE-2024-42367
Immediate Actions Required
- Upgrade aiohttp to version 3.10.2 or later immediately
- Audit all static file directories for unexpected symbolic links, especially those with .gz or .br extensions
- Remove any suspicious symbolic links discovered during the audit
- Review file system permissions to restrict who can create files in static content directories
Patch Information
The aiohttp development team has addressed this vulnerability in version 3.10.2. The fix ensures that path validation checks are performed consistently for both original files and their compressed variants. The security patch is available via commit ce2e9758814527589b10759a20783fb03b98339f, with additional details in pull request #8653. The full security advisory is available at the GitHub Security Advisory GHSA-jwhx-xcg6-8xhj.
Workarounds
- If upgrading is not immediately possible, ensure that no symbolic links exist within static file directories, particularly those with .gz or .br extensions
- Restrict file system permissions on static content directories to prevent creation of symbolic links by untrusted processes
- Disable serving of pre-compressed file variants by not placing .gz or .br files in static directories until the patch is applied
- Implement a reverse proxy or web application firewall rule to block requests for compressed variants if pre-compression is not actively used
# Find and audit symbolic links in static directories
find /path/to/static/root -type l -name "*.gz" -o -type l -name "*.br"
# Upgrade aiohttp to patched version
pip install --upgrade aiohttp>=3.10.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
