Keypoints
- CVE-2024-23334 is a directory traversal vulnerability in aiohttp affecting versions prior to 3.9.2 with CVSS 7.5 (High).
- The root cause is improper validation when serving static files with follow_symlinks=True, allowing path traversal outside the static root.
- Cyble’s scanner found over 43,000 Internet-exposed aiohttp instances, concentrated in the US, Germany, and Spain.
- A public Proof-of-Concept appeared on Feb 27, 2024, and large-scale scanning targeting the vulnerability was observed by CGSI beginning Feb 29, 2024.
- One observed scanning IP (81[.]19[.]136[.]251) has prior associations with LockBit activity and ShadowSyndicate, indicating potential threat actor interest.
- Immediate remediation recommended: upgrade aiohttp to version 3.9.2 or later and review static-file configuration (follow_symlinks usage and path validation).
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of a directory traversal in aiohttp to access arbitrary files (‘this vulnerability enables unauthenticated remote attackers to access sensitive information on the server’).
- [T1059.006] Command and Scripting Interpreter: Python – Potential use of Python-based scripts to exploit or interact with aiohttp servers (‘the aiohttp framework is based on Python, and the exploitation of the vulnerability may involve executing malicious Python scripts’).
- [T1083] File and Directory Discovery – Attackers can discover and access arbitrary files and directories via the traversal flaw (‘the directory traversal vulnerability enables attackers to discover and access arbitrary files and directories on the server’).
- [T1005] Data from Local System – Successful exploitation allows collection of sensitive data from the server filesystem (‘By exploiting the vulnerability, attackers can collect sensitive data from the server’s local file system’).
- [T1071] Application Layer Protocol – Exfiltration or C2 communications may reuse application-layer protocols after initial exploitation (‘the exploitation of the vulnerability may involve communication with a command and control (C2) server to exfiltrate collected data or receive further instructions’).
Indicators of Compromise
- [IP] scanning/exploitation attempts – 81[.]19[.]136[.]251, 157[.]230[.]143[.]100, and 3 more IPs observed probing for CVE-2024-23334.
aiohttp (pre-3.9.2) contains a directory traversal vulnerability (CVE-2024-23334, CVSS 7.5) that arises when static file routes are served with follow_symlinks enabled. The server does not validate whether resolved file paths remain within the configured static root when follow_symlinks=True; as a result, crafted requests can traverse directories and retrieve arbitrary files even in the absence of symbolic links. Exploitation therefore relies on manipulating the requested path to escape the static root and read sensitive files from the server filesystem.
A public proof-of-concept appeared on Feb 27, 2024, and Cyble’s CGSI sensors recorded mass scanning from Feb 29 onward, demonstrating rapid attacker interest. Observed scanning sources include IPs (e.g., 81[.]19[.]136[.]251) previously associated with LockBit and ShadowSyndicate activity, indicating likely weaponization attempts. Detection approaches should focus on identifying anomalous requests targeting static-file endpoints, directory traversal patterns (e.g., ../ sequences, encoded path traversal), and unusual file-read responses from aiohttp handlers.
Remediation is to upgrade aiohttp to version 3.9.2 or later and audit static file serving configurations: avoid enabling follow_symlinks unless necessary, implement explicit path normalization and validation to enforce that resolved file paths remain within the intended root, and restrict public exposure of admin or sensitive endpoints. Additionally, scan public-facing hosts for exposed aiohttp instances, monitor for related scanning activity, and block or investigate connections from known malicious IPs while applying standard alerting for unexpected file-read responses.