Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-23334 PoC — aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal

Source
https://github.com/Betan423/CVE-2024-23334-PoC
Associated Vulnerability
Title:aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal (CVE-2024-23334)
Description:aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Description
This repository is a proof of concept (POC) for CVE-2024-23334, demonstrating an attempt to replicate the bug in aiohttp that leads to Local File Inclusion (LFI).
Readme
# CVE-2024-23334-PoC
This repository is a proof of concept (POC) for CVE-2024-23334, demonstrating an attempt to replicate the bug in aiohttp that leads to Local File Inclusion (LFI).


> [!CAUTION]
> Disclaimer: This POC is for educational purposes only. DO NOT use it in real-world scenarios.



## Install
1. Clone the repository and ser environment.

```bash
git clone https://github.com/Betan423/CVE-2024-23334-PoC
cd CVE-2024-23334-PoC
# run in virtual environment
python3 -m venv .env
chmod +x ./.env/bin/activate
source ./.env/bin/activate
pip3 install -r requirements.txt
```

2. host the server
```bash
python server.py
```
3. run the script
```
bash exploit.sh
```
or
```
python3 exploit.py -s http://localhost:8081
```

**Congratulations! You have successfully reproduced CVE-2024-23334.**

## You can create a symbolic link in the static folder to test follow_symlinks:
1. Create the symbolic link for test.txt in the static folder:  
You need to create a test.txt file on your Desktop first.
```bash
cd static
ln -s ~/Desktop/test.txt test
```
2. View the test.txt file:
Go to http://localhost:8081/static/test, and you should be able to see the content of test.txt

## Reference
[CVE-2024-23334
](https://www.cve.org/CVERecord?id=CVE-2024-23334)  
[jhonnybonny/CVE-2024-23334](https://github.com/jhonnybonny/CVE-2024-23334)  
[z3rObyte/CVE-2024-23334-PoC](https://github.com/z3rObyte/CVE-2024-23334-PoC)
File Snapshot

 [4.0K]  /data/pocs/49db47bb8e21e6b69aa3b76ee6a2f459b9488402
├── [1.0K]  exploit.py
├── [ 462]  exploit.sh
├── [1.4K]  README.md
├── [  15]  requirements.txt
├── [ 637]  server.py
└── [4.0K]  static
    └── [  21]  file.txt

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →