CVE-2024-42367 is a medium-severity vulnerability affecting the aiohttp library, a popular asynchronous HTTP client/server framework used in Python applications. The issue exists in versions on the 3.10 branch prior to 3.10.2. aiohttp supports serving static files, including compressed variants with extensions such as .gz or .br. Normally, aiohttp protects against path traversal attacks by resolving requested URLs to absolute paths and ensuring they remain within the designated root directory when serving static routes, especially when the follow_symlinks option is set to false (the default). However, this protection does not extend to compressed file variants. When aiohttp attempts to serve these compressed variants, it uses the FileResponse class, which performs Path.stat() and Path.open() operations that automatically follow symbolic links without verifying if the resolved path escapes the root directory. This flaw allows an attacker to craft requests that exploit symbolic links pointing outside the intended root directory, potentially accessing unauthorized files on the server. The vulnerability is classified under CWE-61 (Improper Restriction of Symbolic Links in a File System). The issue was patched in aiohttp version 3.10.2. The CVSS v3.1 base score is 4.8 (medium), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact without availability impact. No known exploits are reported in the wild as of the publication date.

For European organizations using aiohttp versions 3.10.0b1 up to but not including 3.10.2, this vulnerability could allow unauthorized access to sensitive files outside the web server's intended static file root directory. This could lead to information disclosure of configuration files, credentials, or other sensitive data stored on the server. While the impact on integrity and availability is limited, confidentiality breaches can have serious consequences, especially for organizations handling personal data under GDPR regulations. Attackers exploiting this vulnerability remotely do not require authentication or user interaction, increasing the risk of automated scanning and exploitation attempts. Organizations running aiohttp-based web services, particularly those serving compressed static content, are at risk. The vulnerability could be leveraged as a foothold for further attacks or lateral movement within the network if sensitive internal files are exposed. Given the widespread use of Python and aiohttp in web applications and microservices, the threat is relevant across multiple sectors including finance, healthcare, government, and technology companies in Europe.

European organizations should immediately audit their use of aiohttp, specifically checking if versions between 3.10.0b1 and 3.10.2 are deployed in production environments. The primary mitigation is to upgrade aiohttp to version 3.10.2 or later, where the vulnerability is patched. Until upgrades can be applied, organizations should consider disabling serving compressed static file variants or explicitly setting follow_symlinks to false and verifying that no symbolic links exist within the static file directories that could point outside the root. Additionally, implement strict file system permissions to limit access to sensitive files and directories, reducing the impact of any path traversal. Web application firewalls (WAFs) can be configured to detect and block suspicious path traversal patterns in HTTP requests. Regularly monitoring logs for unusual file access patterns related to static content requests can help detect exploitation attempts. Finally, ensure that sensitive data is not stored in locations accessible to the web server's static file root to minimize exposure.