Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
[pip install aiohttp >= 3.7.4]
If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.
If you have any questions or comments about this advisory:
* Open an issue in the aiohttp repo
* Email us at [email protected] and/or [email protected]
Credit: Jelmer Vernooij and Beast Glatisant.
| Score | Percentile |
|---|---|
| 0.49% | 65.54% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 3.1 | 3.1 | — |
|
| 2.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-v6wp-4m6f-gcjg ↗ |
| CVE | CVE-2021-21330 ↗ |
| CWE id | Name |
|---|---|
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | aiohttp | < 3.7.4 | 3.7.4 | — |