cvedb.io
CVE-2024-42367
MEDIUM · CVSS 4.8
EPSS exploitation probability: 0%
Published 2024-08-12T13:38:34.240 · Last modified 2026-06-17T07:49:20.270

Summary

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 co

Affected products

aiohttp — aiohttp

Does this affect you?

Add your gear to cvedb and we'll alert you only when aiohttp ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.