CVE-2022-32114
Description
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Strapi 4.1.12 allows XSS via crafted PDF upload in the Add New Assets function, though this behavior is consistent with documented permissions and configuration options.
Vulnerability
Overview
The CVE-2022-32114 describes an unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12, where an attacker can upload a crafted PDF file containing JavaScript to conduct a cross-site scripting (XSS) attack. The official description notes that this behavior aligns with the project's documented design: users with the Media Library "Create (upload)" permission are intended to be able to upload PDF files that may contain JavaScript, and all files in the public assets folder are accessible externally unless the filename begins with a dot [1][3].
Exploitation
Context
Exploitation requires that an administrator has not configured the Media Library to restrict uploads to only image, video, and audio file types. By default, Strapi allows uploading PDF files, and the attacker must have a valid account with at least the "Create (upload)" permission in the Media Library role [2]. Once uploaded, the malicious PDF is stored in the public assets folder and can be accessed by anyone who knows the file path.
Impact
An attacker who successfully uploads a crafted PDF can trigger arbitrary JavaScript execution in the context of a user who views or downloads the file, leading to potential data theft, session hijacking, or other client-side attacks. The impact is limited to users who interact with the malicious file.
Mitigation
Status
Strapi administrators can mitigate this by configuring the Media Library global settings to allow only image, video, and audio uploads, effectively blocking PDF files. This is a documented configuration option, not a code-level patch [1]. No formal security patch was issued for this behavior, as it is considered by the project to be a matter of configuration rather than a vulnerability in the software itself [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@strapi/strapinpm | <= 4.1.12 | — |
Affected products
2- Strapi/Strapidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-4vm8-j95f-j6v5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-32114ghsaADVISORY
- docs.strapi.io/dev-docs/configurations/public-assetsghsaWEB
- docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-rolesghsaWEB
- github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.jsghsaWEB
- github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.jsghsaWEB
- grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4eghsaWEB
News mentions
0No linked articles in our index yet.