VDB
GCVE-110-MAGEIA-2024-388
GCVE-110-MAGEIA-2024-388
Advisory Published
When using aiohttp as a web server and configuring static routes, it is
necessary to specify the root path for static files. Additionally, the
option 'follow_symlinks' can be used to determine whether to follow
symbolic links outside the static root directory. When 'follow_symlinks'
is set to True, there is no validation to check if reading a file is
within the root directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to arbitrary files on
the system, even when symlinks are not present. Disabling
follow_symlinks and using a reverse proxy are encouraged mitigations.
CVE-2024-23334
The Python parser parses newlines in chunk extensions incorrectly which
can lead to request smuggling vulnerabilities under certain conditions.
If a pure Python version of aiohttp is installed (i.e. without the usual
C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker
may be able to execute a request smuggling attack to bypass certain
firewalls or proxy protections. CVE-2024-52304
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | python-aiohttp | 0 (affected), 3.8.3-3.2.mga9 (unaffected) | — |
Aliases
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.