CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
16.3%
aiohttp is vulnerable to Path Traversal. The vulnerability is due to improper handling of symbolic links in compressed file variants (.gz or .br extensions), which can allow access outside the root directory when follow_symlinks=False is set.
github.com/advisories/GHSA-jwhx-xcg6-8xhj
github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_fileresponse.py#L177
github.com/aio-libs/aiohttp/blob/e0ff5246e1d29b7710ab1a2bbc972b48169f1c05/aiohttp/web_urldispatcher.py#L674
github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
github.com/aio-libs/aiohttp/pull/8653
github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj