CVE-2023-34457

Public Exploit
MechanicalSoup vulnerable to malicious web server reading arbitrary files on client using file input inside HTML form

Description

MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a `<input type="file" ...>` inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took very specific (and manual) steps to reset HTML form field values. Version 1.3.0 contains a patch for this issue.

Category

5.9
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 1.85% Top 20%
Vendor Advisory github.com
Affected: MechanicalSoup MechanicalSoup
Published at:
Updated at:

References

Link Tags
https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4 exploit patch vendor advisory
https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e patch
https://github.com/MechanicalSoup/MechanicalSoup/releases/tag/v1.3.0 release notes
https://security.netapp.com/advisory/ntap-20230803-0005/

Frequently Asked Questions

What is the severity of CVE-2023-34457?
CVE-2023-34457 has been scored as a medium severity vulnerability.
How to fix CVE-2023-34457?
To fix CVE-2023-34457, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-34457 being actively exploited in the wild?
It is possible that CVE-2023-34457 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-34457?
CVE-2023-34457 affects MechanicalSoup MechanicalSoup.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.