Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware
middleware.
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
[pip install aiohttp >= 3.7.4
]
If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware
in your applications.
If you have any questions or comments about this advisory: * Open an issue in the aiohttp repo * Email us at wk+aio-libs-security@sydorenko.org.ua and/or andrew.svetlov+aio-libs-security@gmail.com
Credit: [Jelmer Vernooij] and [Beast Glatisant].