Impact
What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.
Patches
Has the problem been patched? What versions should users upgrade to?
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
pip install aiohttp >= 3.7.4
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Credit: Jelmer Vernooij and Beast Glatisant.
Impact
What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the
aiohttp.web_middlewares.normalize_path_middlewaremiddleware.Patches
Has the problem been patched? What versions should users upgrade to?
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
pip install aiohttp >= 3.7.4Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not an option for you, a workaround can be to avoid using
aiohttp.web_middlewares.normalize_path_middlewarein your applications.References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Credit: Jelmer Vernooij and Beast Glatisant.