CVE-2022-27261

Vulnerability

Express-FileUpload v1.3.1 is an Express middleware that wraps around busboy for handling file uploads. An arbitrary file write vulnerability exists because the package does not prevent multiple uploaded files from having the same name. When files are uploaded with identical names, subsequent files overwrite previously uploaded ones, including potentially sensitive files that were already on the server. The affected version is v1.3.1 as described in the CVE [1][2].

Exploitation

An attacker can exploit this by sending multiple HTTP requests (or a single multipart request with multiple files) that each contain a file with the same name as a target file on the server. The attack requires only network access to the Express application and the ability to upload files (i.e., a route that uses express-fileupload and calls the .mv() method to place the uploaded file in a location on the filesystem). No special authentication is mentioned, but the attacker must know or guess the path where the application stores uploaded files [1][2].

Impact

On success, the attacker can overwrite arbitrary files on the server to which the application process has write access. This can lead to a range of impacts including defacement, denial of service, or potentially remote code execution if the overwritten file is a script executed by the server. The privilege level is that of the web application user [2][4]. The vendor has disputed the severity of this issue, stating that users are responsible for placing files in secure locations [4].

Mitigation

As of the available references, the vendor has not released a patched version and has closed related issues stating that the behavior is expected and that it is the user's responsibility to handle file naming securely [4]. There is no official fix in Express-FileUpload. Users should implement their own file name validation and use safe upload paths that are outside the web root. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.