CVE-2022-40931
Description
dutchcoders Transfer.sh 1.4.0 is vulnerable to Cross Site Scripting (XSS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dutchcoders/transfer.shGo | <= 1.4.0 | — |
Affected products
2- dutchcoders/Transfer.shdescription
Patches
Vulnerability mechanics
Root cause
"Missing content-type validation allows an attacker to upload a file with an empty or unset Content-Type, causing the server to serve it without a proper MIME type and enabling XSS in the browser."
Attack vector
An attacker uploads a file containing JavaScript payload (e.g., an HTML file) whose Content-Type is empty or cannot be determined by the server. When a victim accesses the file with the `?inline` query parameter, the server sets `Content-Disposition: inline` but fails to set a safe Content-Type, leaving the browser to sniff the content and execute the embedded script. The attack requires no authentication and is triggered simply by visiting the crafted URL [patch_id=1641272].
Affected code
The vulnerability resides in `server/handlers.go` within the `getHandler` function. When the `action` parameter is `"inline"`, the code sets `disposition = "inline"` but does not validate whether `contentType` is empty. This allows files with an undetermined MIME type to be served inline without a safe fallback content-type header [patch_id=1641272].
What the fix does
The patch adds a guard in `server/handlers.go` inside the `getHandler` function: if `strings.TrimSpace(contentType)` is empty when the `action` is `"inline"`, the content type is forced to `"text/plain"`. This prevents the browser from MIME-sniffing attacker-controlled content as HTML or JavaScript. By always serving a safe, explicit MIME type for inline-displayed files with an undetermined content type, the XSS vector is closed [patch_id=1641272].
Preconditions
- inputAttacker uploads a file whose Content-Type is empty or cannot be determined by the server's metadata.ContentType logic.
- networkVictim must access the uploaded file via a URL that includes the ?inline query parameter.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-pwq7-f7f9-cm2jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-40931ghsaADVISORY
- github.com/dutchcoders/transfer.sh/issues/500ghsax_refsource_MISCWEB
- github.com/dutchcoders/transfer.sh/pull/501ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.