3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29159

GHSA ID

GHSA-v5gw-mw7f-84px

EPSS Score

0.7904%

CWE

CWE-22

Published

5/17/2023

Updated

10/28/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29159

CVE-2023-29159: Starlette has Path Traversal vulnerability in StaticFiles

Summary

When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is also exposed via StaticFiles which is a path traversal vulnerability.

Details

The root cause of this issue is the usage of os.path.commonprefix(): https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174

As stated in the Python documentation (https://docs.python.org/3/library/os.path.html#os.path.commonprefix) this function returns the longest prefix common to paths.

When passing a path like /static/../static1.txt, os.path.commonprefix([full_path, directory]) returns ./static which is the common part of ./static1.txt and ./static, It refers to /static/../static1.txt because it is considered in the staticfiles directory. As a result, it becomes possible to view files that should not be open to the public.

The solution is to use os.path.commonpath as the Python documentation explains that os.path.commonprefix works a character at a time, it does not treat the arguments as paths.

PoC

In order to reproduce the issue, you need to create the following structure:

├── static
│   ├── index.html
├── static_disallow
│   ├── index.html
└── static1.txt

And run the Starlette app with:

import uvicorn
from starlette.applications import Starlette
from starlette.routing import Mount
from starlette.staticfiles import StaticFiles


routes = [
    Mount("/static", app=StaticFiles(directory="static", html=True), name="static"),
]

app = Starlette(routes=routes)


if __name__ == "__main__":
    uvicorn.run(app, host="0.0.0.0", port=8000)

And running the commands:

curl --path-as-is 'localhost:8000/static/../static_disallow/'
curl --path-as-is 'localhost:8000/static/../static1.txt'

The static1.txt and the directory static_disallow are exposed.

Impact

Confidentiality is breached: An attacker may obtain files that should not be open to the public.

Credits

Security researcher Masashi Yamane of LAC Co., Ltd reported this vulnerability to JPCERT/CC Vulnerability Coordination Group and they contacted us to coordinate a patch for the security issue.

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29159

GHSA ID

GHSA-v5gw-mw7f-84px

EPSS Score

0.7904%

CWE

CWE-22

Published

5/17/2023

Updated

10/28/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
starlette	pip	>= 0.13.5, < 0.27.0	0.27.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the use of os.path.commonprefix() in the path validation logic. The Python documentation explicitly states this function does not account for path components, making it unsuitable for security checks. The commit diff shows replacement of commonprefix with commonpath (which does proper path component comparison), confirming this was the vulnerable code path. The PoC demonstrates how this character-based comparison fails when sibling resources share the static directory's prefix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry W**n usin* `St*ti**il*s`, i* t**r*'s * *il* or *ir**tory t**t st*rts wit* t** s*m* n*m* *s t** `St*ti**il*s` *ir**tory, t**t *il* or *ir**tory is *lso *xpos** vi* `St*ti**il*s` w*i** is * p*t* tr*v*rs*l vuln*r**ility. ### **t*ils T** roo

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* os.p*t*.*ommonpr**ix() in t** p*t* v*li**tion lo*i*. T** Pyt*on *o*um*nt*tion *xpli*itly st*t*s t*is *un*tion *o*s not ***ount *or p*t* *ompon*nts, m*kin* it unsuit**l* *or s**urity ****ks. T** *ommit *i** s*ow

3.7

Basic Information

Concerned about an active attack path?

CVE-2023-29159: Starlette has Path Traversal vulnerability in StaticFiles

Summary

Details

PoC

Impact

Credits

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI