CVE-2024-39903

HIGH NUCLEI

Solara < 1.35.1 - Local File Inclusion via URI Fragment Path Traversal

Title source: llm

Exploitation Summary

CVE-2024-39903 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.

Nuclei Templates (1)

Solara <1.35.1 - Local File Inclusion

HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

FOFA: icon_hash="-223126228"

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438w

Patch x_refsource_misc

https://github.com/widgetti/solara/commit/df2fd66a7f4e8ffd36e8678697a8a4f76760dc54

View Patch ZIP pw:eip

Scores

CVSS v3 8.6

EPSS 0.0288

EPSS Percentile 85.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

pypi/solara 0 - 1.35.1PyPI

widgetti/solara < 1.35.1

Published Jul 12, 2024

Tracked Since Feb 18, 2026