CVE-2022-38179

Vulnerability

Overview CVE-2022-38179 affects JetBrains Ktor versions prior to 2.1.0. The vulnerability is a Reflect File Download (RFD) attack, which occurs when a web application reflects user-supplied input in file download responses without proper sanitization. In Ktor, this was possible because the framework did not properly encode the Content-Disposition filename* parameter, allowing an attacker to inject arbitrary characters and manipulate the download behavior [1][3].

Exploitation

An attacker can exploit this by crafting a malicious URL that causes the Ktor server to respond with a file download containing a filename that includes special characters. When the user clicks the link, the browser may misinterpret the response and execute code locally, depending on the filename extension and user interaction. The attack requires no authentication if the vulnerable endpoint is publicly accessible; it relies on tricking a user into clicking a crafted link [2].

Impact

Successful exploitation can lead to arbitrary code execution on the client's machine. For example, if the response is treated as a downloadable file with a .bat or .cmd extension, the browser might prompt the user to run it, leading to system compromise. This is a significant client-side risk, especially in environments where users have limited awareness of such attacks [2].

Mitigation

The vulnerability is fixed in Ktor version 2.1.0 and later. Users are strongly advised to upgrade to the latest version. The fix involved encoding the filename* parameter according to RFC 5987, ensuring that only allowed attribute characters are used in Content-Disposition headers [3]. No workarounds are documented; upgrading is the recommended action.