MEDIUM 6.1
GHSA-7gpw-8wmc-pm8g
aiohttp Cross-site Scripting vulnerability on index pages for static file handling
Details
### Summary
A XSS vulnerability exists on index pages for static file handling.
### Details
When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names.
If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
### Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable `show_index` if unable to upgrade.
-----
Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-27306 [ADVISORY]
- https://github.com/aio-libs/aiohttp/pull/8319 [WEB]
- https://github.com/aio-libs/aiohttp/pull/8319/files [WEB]
- https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397 [WEB]
- https://github.com/aio-libs/aiohttp [PACKAGE]
- https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3 [WEB]