[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2024-23334":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T02:55:30.529Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":40,"aliases":62,"duplicate_of":9,"upstream":65,"downstream":66,"duplicates":91,"related":92,"reserved_at":9,"published_at":102,"modified_at":103,"state":104,"summary":105,"references_raw":113,"kevs":179,"epss":180,"epss_history":183,"metrics":385,"affected":402},"CVE-2024-23334","aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.  Disabling follow_symlinks and using a reverse proxy are encouraged mitigations.  Version 3.9.2 fixes this issue.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-22","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-126","Path Traversal",[],{"id":25,"name":26,"techniques":27},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":29,"name":30,"techniques":31},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":33,"name":34,"techniques":35},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":37,"name":38,"techniques":39},"CAPEC-79","Using Slashes in Alternate Encoding",[],[41,50],{"_key":42,"name":43,"source":44,"url":45,"maturity":46,"reliability_score":47,"verified":48,"type":9,"platforms":49,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_AIO-LIBS_AIOHTTP","Aiohttp","github","https://github.com/aio-libs/aiohttp/issues/6772","poc",0.3,false,[],{"_key":51,"name":52,"source":53,"url":54,"maturity":46,"reliability_score":55,"verified":48,"type":9,"platforms":56,"requires_auth":9,"exploitdb":58,"metasploit":9},"52474","aiohttp 3.9.1 - directory traversal PoC","exploit-database","https://www.exploit-db.com/exploits/52474",0.5,[57],"python",{"verified":48,"type":59,"platform":57,"file":60,"codes":61},"webapps","exploits/python/webapps/52474.txt",[7],[63,64],"GHSA-5h86-8mv2-jq9f","PYSEC-2024-24",[],[67,69,71,73,75,77,79,81,83,85,87,89],{"_key":68},"SUSE-SU-2024:0577-1",{"_key":70},"OPENSUSE-SU-2024:13642-1",{"_key":72},"DLA-4041-1",{"_key":74},"DSA-5828-1",{"_key":76},"MGASA-2024-0388",{"_key":78},"USN-6991-1",{"_key":80},"DEBIAN-CVE-2024-23334",{"_key":82},"UBUNTU-CVE-2024-23334",{"_key":84},"RHSA-2024:1536",{"_key":86},"RHSA-2024:1878",{"_key":88},"RHSA-2024:2010",{"_key":90},"RHSA-2024:1640",[],[93,94,95,96,98,100],{"_key":68},{"_key":70},{"_key":76},{"_key":97},"CGA-C9GX-2CQ5-2F2R",{"_key":99},"CGA-X8W7-VX7P-R8VF",{"_key":101},"CGA-H5W3-J5F9-PC68","2024-01-29T22:41:39.584Z","2026-02-04T19:22:36.853Z","Modified",{"cisa_kev":48,"cisa_ransomware":48,"cisa_vendor":9,"epss_severity":106,"epss_score":107,"severity":108,"severity_score":109,"severity_version":110,"severity_source":111,"severity_vector":112,"severity_status":104},"critical",0.93527,"high",7.5,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",[114,126,133,137,143,147,151,155,159,164,168,172,176],{"url":115,"sources":116,"tags":119},"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f",[117,111,118],"cve.org","osv_pypi",[120,121,122,123,124,125],"X Refsource CONFIRM","Exploit","Mitigation","Vendor Advisory","WEB","Advisory",{"url":127,"sources":128,"tags":129},"https://github.com/aio-libs/aiohttp/pull/8079",[117,111,118],[130,131,124,132],"X Refsource MISC","Patch","FIX",{"url":134,"sources":135,"tags":136},"https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b",[117,111,118],[130,131,124,132],{"url":138,"sources":139,"tags":140},"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/",[117,111,118],[141,142],"Mailing List","ARTICLE",{"url":144,"sources":145,"tags":146},"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/",[117,111],[],{"url":148,"sources":149,"tags":150},"https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html",[117,111,118],[124],{"url":152,"sources":153,"tags":154},"https://nvd.nist.gov/vuln/detail/CVE-2024-23334",[118],[125],{"url":156,"sources":157,"tags":158},"https://github.com/aio-libs/aiohttp/pull/8079/files",[118],[124],{"url":160,"sources":161,"tags":162},"https://github.com/aio-libs/aiohttp",[118],[163],"PACKAGE",{"url":165,"sources":166,"tags":167},"https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml",[118],[124],{"url":169,"sources":170,"tags":171},"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD",[118],[124],{"url":173,"sources":174,"tags":175},"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7",[118],[124],{"url":54,"sources":177,"tags":178},[117,111,118],[124],[],{"date":181,"score":107,"percentile":182},"2026-06-04",0.99836,[184,188,190,192,195,197,201,203,206,208,211,213,215,217,219,223,226,228,230,232,234,236,238,240,242,244,246,248,251,253,256,259,261,263,265,267,269,271,273,275,277,279,281,283,285,288,290,292,294,296,298,300,302,304,306,308,310,312,314,316,318,320,322,326,328,331,333,335,338,340,342,344,346,348,350,352,355,357,359,361,363,365,367,369,371,373,375,377,379,381],{"date":185,"score":186,"percentile":187},"2025-11-04",0.93559,0.9982,{"date":189,"score":186,"percentile":187},"2025-11-05",{"date":191,"score":186,"percentile":187},"2025-11-06",{"date":193,"score":186,"percentile":194},"2025-11-07",0.99821,{"date":196,"score":186,"percentile":194},"2025-11-08",{"date":198,"score":199,"percentile":200},"2025-11-09",0.9361,0.99826,{"date":202,"score":199,"percentile":200},"2025-11-10",{"date":204,"score":199,"percentile":205},"2025-11-11",0.99825,{"date":207,"score":186,"percentile":187},"2025-11-12",{"date":209,"score":186,"percentile":210},"2025-11-13",0.99819,{"date":212,"score":186,"percentile":210},"2025-11-14",{"date":214,"score":186,"percentile":187},"2025-11-15",{"date":216,"score":186,"percentile":187},"2025-11-16",{"date":218,"score":186,"percentile":187},"2025-11-17",{"date":220,"score":221,"percentile":222},"2025-11-18",0.68186,0.98621,{"date":224,"score":221,"percentile":225},"2025-11-19",0.98622,{"date":227,"score":221,"percentile":225},"2025-11-20",{"date":229,"score":186,"percentile":187},"2025-11-21",{"date":231,"score":186,"percentile":187},"2025-11-22",{"date":233,"score":186,"percentile":187},"2025-11-23",{"date":235,"score":186,"percentile":210},"2025-11-24",{"date":237,"score":186,"percentile":210},"2025-11-25",{"date":239,"score":186,"percentile":210},"2025-11-26",{"date":241,"score":186,"percentile":187},"2025-11-27",{"date":243,"score":186,"percentile":187},"2025-11-28",{"date":245,"score":186,"percentile":210},"2025-11-29",{"date":247,"score":186,"percentile":187},"2025-11-30",{"date":249,"score":186,"percentile":250},"2025-12-01",0.99822,{"date":252,"score":186,"percentile":250},"2025-12-02",{"date":254,"score":199,"percentile":255},"2025-12-03",0.99827,{"date":257,"score":199,"percentile":258},"2025-12-04",0.99824,{"date":260,"score":199,"percentile":258},"2025-12-05",{"date":262,"score":199,"percentile":258},"2025-12-06",{"date":264,"score":186,"percentile":187},"2025-12-07",{"date":266,"score":186,"percentile":187},"2025-12-08",{"date":268,"score":186,"percentile":187},"2025-12-09",{"date":270,"score":186,"percentile":194},"2025-12-10",{"date":272,"score":186,"percentile":194},"2025-12-11",{"date":274,"score":186,"percentile":194},"2025-12-12",{"date":276,"score":186,"percentile":187},"2025-12-13",{"date":278,"score":186,"percentile":187},"2025-12-14",{"date":280,"score":186,"percentile":187},"2025-12-15",{"date":282,"score":186,"percentile":187},"2025-12-16",{"date":284,"score":186,"percentile":187},"2025-12-17",{"date":286,"score":186,"percentile":287},"2025-12-18",0.99818,{"date":289,"score":186,"percentile":287},"2025-12-19",{"date":291,"score":186,"percentile":287},"2025-12-20",{"date":293,"score":186,"percentile":287},"2025-12-21",{"date":295,"score":186,"percentile":287},"2025-12-22",{"date":297,"score":186,"percentile":287},"2025-12-23",{"date":299,"score":186,"percentile":287},"2025-12-24",{"date":301,"score":186,"percentile":287},"2025-12-25",{"date":303,"score":186,"percentile":287},"2025-12-26",{"date":305,"score":186,"percentile":287},"2025-12-27",{"date":307,"score":186,"percentile":287},"2025-12-28",{"date":309,"score":186,"percentile":287},"2025-12-29",{"date":311,"score":186,"percentile":287},"2025-12-30",{"date":313,"score":186,"percentile":287},"2025-12-31",{"date":315,"score":186,"percentile":187},"2026-01-01",{"date":317,"score":186,"percentile":187},"2026-01-02",{"date":319,"score":186,"percentile":187},"2026-01-03",{"date":321,"score":186,"percentile":287},"2026-01-04",{"date":323,"score":324,"percentile":325},"2026-01-05",0.93524,0.99815,{"date":327,"score":324,"percentile":325},"2026-01-06",{"date":329,"score":324,"percentile":330},"2026-01-07",0.99814,{"date":332,"score":324,"percentile":325},"2026-01-08",{"date":334,"score":324,"percentile":325},"2026-01-09",{"date":336,"score":337,"percentile":194},"2026-01-10",0.93577,{"date":339,"score":337,"percentile":194},"2026-01-11",{"date":341,"score":337,"percentile":194},"2026-01-12",{"date":343,"score":337,"percentile":250},"2026-01-13",{"date":345,"score":337,"percentile":250},"2026-01-14",{"date":347,"score":337,"percentile":250},"2026-01-15",{"date":349,"score":337,"percentile":250},"2026-01-16",{"date":351,"score":337,"percentile":250},"2026-01-17",{"date":353,"score":337,"percentile":354},"2026-01-18",0.99823,{"date":356,"score":337,"percentile":354},"2026-01-19",{"date":358,"score":337,"percentile":258},"2026-01-20",{"date":360,"score":337,"percentile":258},"2026-01-21",{"date":362,"score":337,"percentile":258},"2026-01-22",{"date":364,"score":337,"percentile":258},"2026-01-23",{"date":366,"score":337,"percentile":258},"2026-01-24",{"date":368,"score":337,"percentile":205},"2026-01-25",{"date":370,"score":337,"percentile":258},"2026-01-26",{"date":372,"score":337,"percentile":258},"2026-01-27",{"date":374,"score":337,"percentile":205},"2026-01-28",{"date":376,"score":337,"percentile":205},"2026-01-29",{"date":378,"score":337,"percentile":258},"2026-01-30",{"date":380,"score":337,"percentile":258},"2026-01-31",{"date":382,"score":383,"percentile":384},"2026-02-01",0.93482,0.99817,[386,393,397],{"source":117,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":387,"cvss_v4_0":9},{"baseScore":388,"baseSeverity":389,"vectorString":390,"impactScore":391,"exploitabilityScore":392},5.9,"MEDIUM","CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",6,5.6,{"source":111,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":394,"cvss_v4_0":9},{"baseScore":109,"baseSeverity":395,"vectorString":112,"impactScore":391,"exploitabilityScore":396},"HIGH",10,{"source":118,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":398,"cvss_v4_0":399},{"baseScore":388,"baseSeverity":9,"vectorString":390,"impactScore":391,"exploitabilityScore":392},{"baseScore":400,"baseSeverity":9,"vectorString":401,"impactScore":9,"exploitabilityScore":9},8.2,"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",[403,413,420,427],{"ecosystem":9,"name":404,"vendor":405,"product":404,"cpe_part":406,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":407},"aiohttp","aio-libs","a",[408],{"version":409,"is_range":410,"range_type":117,"version_start":9,"version_start_type":9,"version_end":411,"version_end_type":412,"fixed_in":9},"\u003C 3.9.2",true,"3.9.2","excluding",{"ecosystem":9,"name":404,"vendor":404,"product":404,"cpe_part":406,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":414},[415],{"version":416,"is_range":410,"range_type":417,"version_start":418,"version_start_type":419,"version_end":411,"version_end_type":412,"fixed_in":9},"gte1.0.5_lt3.9.2","cpe","1.0.5","including",{"ecosystem":9,"name":421,"vendor":422,"product":421,"cpe_part":423,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":424},"fedora","fedoraproject","o",[425],{"version":426,"is_range":48,"range_type":417,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"39",{"ecosystem":428,"name":404,"vendor":428,"product":404,"cpe_part":9,"purl_type":429,"purl_namespace":9,"purl_name":404,"source":9,"versions":430},"PyPI","pypi",[431,435],{"version":432,"is_range":410,"range_type":433,"version_start":9,"version_start_type":9,"version_end":434,"version_end_type":412,"fixed_in":9},"lt1c335944d6a8b1298baf179b7c0b3069f10c514b","ecosystem","1c335944d6a8b1298baf179b7c0b3069f10c514b",{"version":436,"is_range":410,"range_type":433,"version_start":418,"version_start_type":419,"version_end":411,"version_end_type":412,"fixed_in":9},"gte1_0_5_lt3_9_2"]