CVE-2024-42367

Name of the Vulnerable Software and Affected Versions aiohttp versions prior to 3.10.2

Description The issue is related to path traversal outside the root directory in static routes containing files with compressed variants (.gz or .br extension) when these variants are symbolic links. The server normally protects against such traversal when follow symlinks=False (default) by resolving the requested URL to an absolute path and checking it relative to the root. However, when looking for compressed variants in the FileResponse class, these checks are not performed, and symbolic links are automatically followed during Path.stat() and Path.open() operations to send the file.

Recommendations For aiohttp versions prior to 3.10.2, update to version 3.10.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of compressed variants in static routes or restricting access to the FileResponse class until a patch is applied. Additionally, ensure that follow symlinks=False to minimize the risk of path traversal outside the root directory.