Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-23334 PoC — aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal

Source
https://github.com/wizarddos/CVE-2024-23334
Associated Vulnerability
Title:aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal (CVE-2024-23334)
Description:aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Description
Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1
Readme
# CVE-2024-23334

Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1 

> [!IMPORTANT]
> This script is for meant for educational purposes only.
> 
> Any illegal usage is strictly prohibited.
>

## How to run?

```
$ git clone https://github.com/wizarddos/CVE-2024-23334
$ cd CVE-2024-23334
$ python3 exploit.py -u [url] -f [file] -d [static directory]
```

> [!Note]
> Remeber to match slashes in url and static dir - if you type `http://127.0.0.1/` then pass directory without slash (like `static`) and vice versa (url without slash and directory with it)

## Why does it work?

Vulnerability itself lies in a way how aiohttp handles requests for static resources

If we write code like this
```py
app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True)
])
```

`follow_symlinks=True` makes it vulnerable to LFI.
To use static resources, you need to specify it's root directory
`follow_symlinks` option tells `aiohttp` to follow symbolic links outside of root directory, yet doesn't check whether link itself lies in root dir.

So even if said "symlink" isn't even a link, `aiohttp` does that file read and returns it's value

Source
[https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f)
File Snapshot

 [4.0K]  /data/pocs/97afaf49c487b4f3af77d0289e0bbd82af65a901
├── [1.5K]  exploit.py
└── [1.3K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →