diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
new file mode 100644
index 0000000000..dadec31f3a
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
@@ -0,0 +1,65 @@
+From e19cb50fb529bbe75cc4f1b68eeb0a3f631ad0d0 Mon Sep 17 00:00:00 2001
+From: "J. Nick Koston" <nick@koston.org>
+Date: Thu, 8 Aug 2024 11:19:28 -0500
+Subject: [PATCH] Do not follow symlinks for compressed file variants (#8652)
+
+CVE: CVE-2024-42367
+
+Upstream-Status: Backport
+[https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f]
+
+Co-authored-by: Steve Repsher <steverep@users.noreply.github.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ CHANGES/8652.bugfix.rst     |  1 +
+ aiohttp/web_fileresponse.py | 26 ++++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+ create mode 100644 CHANGES/8652.bugfix.rst
+
+diff --git a/CHANGES/8652.bugfix.rst b/CHANGES/8652.bugfix.rst
+new file mode 100644
+index 000000000..3a1003e50
+--- /dev/null
++++ b/CHANGES/8652.bugfix.rst
+@@ -0,0 +1 @@
++Fixed incorrectly following symlinks for compressed file variants -- by :user:`steverep`.
+diff --git a/aiohttp/web_fileresponse.py b/aiohttp/web_fileresponse.py
+index f41ed3fd0..35dbd41e1 100644
+--- a/aiohttp/web_fileresponse.py
++++ b/aiohttp/web_fileresponse.py
+@@ -127,6 +127,32 @@ class FileResponse(StreamResponse):
+         self.content_length = 0
+         return await super().prepare(request)
+ 
++    def _get_file_path_stat_encoding(
++        self, accept_encoding: str
++    ) -> Tuple[pathlib.Path, os.stat_result, Optional[str]]:
++        """Return the file path, stat result, and encoding.
++
++        If an uncompressed file is returned, the encoding is set to
++        :py:data:`None`.
++
++        This method should be called from a thread executor
++        since it calls os.stat which may block.
++        """
++        file_path = self._path
++        for file_extension, file_encoding in ENCODING_EXTENSIONS.items():
++            if file_encoding not in accept_encoding:
++                continue
++
++            compressed_path = file_path.with_suffix(file_path.suffix + file_extension)
++            with suppress(OSError):
++                # Do not follow symlinks and ignore any non-regular files.
++                st = compressed_path.lstat()
++                if S_ISREG(st.st_mode):
++                    return compressed_path, st, file_encoding
++
++        # Fallback to the uncompressed file
++        return file_path, file_path.stat(), None
++
+     async def prepare(self, request: "BaseRequest") -> Optional[AbstractStreamWriter]:
+         filepath = self._path
+ 
+-- 
+2.34.1
+
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
index 479c2f2064..fdecf9ef4c 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://CVE-2024-23334.patch \
             file://CVE-2024-52304.patch \
             file://CVE-2023-49082.patch \
             file://CVE-2024-27306.patch \
+            file://CVE-2024-42367.patch \
            "
 
 SRC_URI[sha256sum] = "b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"