Moderate severityNVD Advisory· Published Apr 18, 2024· Updated Nov 3, 2025
aiohttp vulnerable to XSS on index pages for static file handling
CVE-2024-27306
Description
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable show_index if unable to upgrade.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.9.4 | 3.9.4 |
Affected products
46- osv-coords45 versionspkg:apk/chainguard/checkovpkg:apk/chainguard/dask-gatewaypkg:apk/chainguard/dask-gateway-serverpkg:apk/chainguard/kservepkg:apk/chainguard/kserve-agentpkg:apk/chainguard/kserve-agent-compatpkg:apk/chainguard/kserve-managerpkg:apk/chainguard/kserve-manager-compatpkg:apk/chainguard/kserve-qpextpkg:apk/chainguard/kserve-qpext-compatpkg:apk/chainguard/kserve-routerpkg:apk/chainguard/kserve-router-compatpkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/nemopkg:apk/chainguard/py3.13-scanner-test-libraries-aiohttppkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-cassandra-medusa-compatpkg:apk/chainguard/request-1276pkg:apk/chainguard/request-1276-compatpkg:apk/wolfi/checkovpkg:apk/wolfi/dask-gatewaypkg:apk/wolfi/dask-gateway-serverpkg:apk/wolfi/kservepkg:apk/wolfi/kserve-agentpkg:apk/wolfi/kserve-agent-compatpkg:apk/wolfi/kserve-managerpkg:apk/wolfi/kserve-manager-compatpkg:apk/wolfi/kserve-qpextpkg:apk/wolfi/kserve-qpext-compatpkg:apk/wolfi/kserve-routerpkg:apk/wolfi/kserve-router-compatpkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/py3-cassandra-medusa-compatpkg:pypi/aiohttppkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP2pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP3pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6
< 3.0.34-r1+ 44 more
- (no CPE)range: < 3.0.34-r1
- (no CPE)range: < 2024.1.0-r4
- (no CPE)range: < 2024.1.0-r4
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 1.23.0-r12
- (no CPE)range: < 0.0.1-r3
- (no CPE)range: < 0.20.1-r0
- (no CPE)range: < 0.20.1-r0
- (no CPE)range: < 0.20.1-r0
- (no CPE)range: < 0.20.1-r0
- (no CPE)range: < 3.0.34-r1
- (no CPE)range: < 2024.1.0-r4
- (no CPE)range: < 2024.1.0-r4
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.13.1-r3
- (no CPE)range: < 0.20.1-r0
- (no CPE)range: < 0.20.1-r0
- (no CPE)range: < 3.9.4
- (no CPE)range: < 3.9.3-150400.10.21.1
- (no CPE)range: < 3.9.3-150400.10.21.1
- (no CPE)range: < 3.9.5-2.1
- (no CPE)range: < 3.6.0-150100.3.24.1
- (no CPE)range: < 3.6.0-150100.3.24.1
- (no CPE)range: < 3.9.3-150400.10.21.1
- (no CPE)range: < 3.6.0-150100.3.24.1
- (no CPE)range: < 3.6.0-150100.3.24.1
- (no CPE)range: < 3.9.3-150400.10.21.1
- (no CPE)range: < 3.9.3-150400.10.21.1
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-7gpw-8wmc-pm8gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27306ghsaADVISORY
- github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397ghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/pull/8319ghsax_refsource_MISCWEB
- github.com/aio-libs/aiohttp/pull/8319/filesghsaWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8gghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2025/02/msg00002.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3UghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3/mitre
News mentions
0No linked articles in our index yet.