aiohttp Directory Traversal Vulnerability in Python Library Patched in Version 3.9.2

A critical directory traversal vulnerability has been identified in aiohttp 3.8.6, exposing systems that use the asynchronous HTTP client/server framework with static route configurations. The flaw, tracked as PYSEC-2024-24 and addressed in version 3.9.2, allows unauthorized file access when the 'follow_symlinks' option is enabled without proper validation of whether file reads remain within the designated root directory.

The vulnerability stems from a lack of boundary checking in the static file serving component. When follow_symlinks is set to True, the library fails to verify that requested files are within the static root, effectively enabling path traversal attacks even on systems where no symbolic links exist. Security researchers note that exploiting this flaw could allow attackers to read arbitrary system files accessible to the application process. The recommended mitigations include disabling follow_symlinks and deploying a reverse proxy in front of the aiohttp server.

A second vulnerability, PYSEC-2023-250, also present in aiohttp 3.8.6, was resolved in version 3.9.0. Organizations running Python applications that depend on this library should verify their current versions and apply the patched releases, particularly those operating web servers with static content delivery. The disclosure highlights ongoing challenges in securing asynchronous Python frameworks against path manipulation attacks.