CVE-2024-30265

CVE-2024-30265 is a high-severity security vulnerability in voila (pip), affecting versions >= 0.0.2, < 0.2.17. It is fixed in 0.2.17, 0.3.8, 0.4.4, 0.5.6.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Voilà Local file inclusion

Workarounds

None.

References

CWE-73: External Control of File Name or Path

Original report

I have found a local file inclusion vulnerability in one of your subprojects, voila (https://github.com/voila-dashboards/voila).

The vulnerability exists in the "/static" Route, and can be exploited by simply making a request such as this:

$ curl localhost:8866/static/etc/passwd

...or by using a webbrowser to download the file.

I dug into the source code, and I think the offending line is here: https://github.com/voila-dashboards/voila/blob/8419cc7d79c0bb1dabfbd9ec49cb957740609d4d/voila/app.py#L664
"static_path" gets set to "/", irrespective of the actual "--static" cli option. Because of that, the tornado.web.StaticFileHandler gets initialized with path="/". Then, tornado.web.StaticFileHandler.get calls tornado.web.StaticFileHandler.get_absolute_path with root="/" and path="[USER SUPPLIED PATH]", which leads to local file inclusion. An attacker can request any file on the system they want (that the user running voila has access to).

I suspect this was an oversight during development. Setting static_path=self.static_root (the aforementioned correct cli option) in line 664 provides the intended behavior and restricts the file access to the static directory.
From what I can tell, this line has been in the repository since September 2018. This is the commit that added it: https://github.com/voila-dashboards/voila/commit/28faacc9b03b160fd8fa920ad045f4ec0667ab67

I have found multiple voila instances online that are impacted, such as:

  • ... [redacted]
  • ... [redacted]
  • ... [redacted]

...but many more probably exist. They're easy to identify by [redacted] Therefore the Issue should be fixed as soon as possible, and a security advisory should be released to inform the impacted users.

Impact

Any deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server.

Whether this still requires authentication depends on how voilà is deployed.

CVE-2024-30265 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.2.17, 0.3.8, 0.4.4, 0.5.6); upgrading removes the vulnerable code path.

Affected versions

voila (>= 0.0.2, < 0.2.17) voila (>= 0.3.0a0, < 0.3.8) voila (>= 0.4.0a0, < 0.4.4) voila (>= 0.5.0a0, < 0.5.6)

Security releases

voila → 0.2.17 (pip) voila → 0.3.8 (pip) voila → 0.4.4 (pip) voila → 0.5.6 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

This is patched in 0.2.17+, 0.3.8+, 0.4.4+, 0.5.6+

Frequently Asked Questions

  1. What is CVE-2024-30265? CVE-2024-30265 is a high-severity security vulnerability in voila (pip), affecting versions >= 0.0.2, < 0.2.17. It is fixed in 0.2.17, 0.3.8, 0.4.4, 0.5.6.
  2. How severe is CVE-2024-30265? CVE-2024-30265 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of voila are affected by CVE-2024-30265? voila (pip) versions >= 0.0.2, < 0.2.17 is affected.
  4. Is there a fix for CVE-2024-30265? Yes. CVE-2024-30265 is fixed in 0.2.17, 0.3.8, 0.4.4, 0.5.6. Upgrade to this version or later.
  5. Is CVE-2024-30265 exploitable, and should I be worried? Whether CVE-2024-30265 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-30265 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-30265?
    • Upgrade voila to 0.2.17 or later
    • Upgrade voila to 0.3.8 or later
    • Upgrade voila to 0.4.4 or later
    • Upgrade voila to 0.5.6 or later

Stop the waste.
Protect your environment with Kodem.