Low severityOSV Advisory· Published Feb 3, 2026· Updated Feb 5, 2026
CVE-2025-70849
CVE-2025-70849
Description
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/stefanprodan/podinfoGo | < 1.8.1-0.20260314125853-83deb7fcb742 | 1.8.1-0.20260314125853-83deb7fcb742 |
Affected products
1- Range: 0.2.2, 2.0.0, 2.0.1, …
Patches
183deb7fcb742Merge pull request #463 from stefanprodan/fix-CVE-2025-70849
2 files changed · +57 −0
pkg/api/http/store.go+3 −0 modified@@ -60,6 +60,9 @@ func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) { s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError) return } + w.Header().Set("Content-Type", "application/octet-stream") + w.Header().Set("X-Content-Type-Options", "nosniff") + w.Header().Set("Content-Security-Policy", "default-src 'none'") w.WriteHeader(http.StatusAccepted) w.Write([]byte(content)) }
pkg/api/http/store_test.go+54 −0 added@@ -0,0 +1,54 @@ +package http + +import ( + "net/http" + "net/http/httptest" + "strings" + "testing" + + "github.com/gorilla/mux" +) + +func TestStoreReadHandler_ContentType(t *testing.T) { + dataDir := t.TempDir() + srv := NewMockServer() + srv.config.DataPath = dataDir + + // Write an HTML payload to the store. + writeReq, err := http.NewRequest("POST", "/store", strings.NewReader("<html><script>alert(1)</script></html>")) + if err != nil { + t.Fatal(err) + } + writeRR := httptest.NewRecorder() + http.HandlerFunc(srv.storeWriteHandler).ServeHTTP(writeRR, writeReq) + + if writeRR.Code != http.StatusAccepted { + t.Fatalf("store write returned status %d, want %d", writeRR.Code, http.StatusAccepted) + } + + // Read it back and verify Content-Type is application/octet-stream, not text/html. + hash := hash("<html><script>alert(1)</script></html>") + readReq, err := http.NewRequest("GET", "/store/"+hash, nil) + if err != nil { + t.Fatal(err) + } + readReq = mux.SetURLVars(readReq, map[string]string{"hash": hash}) + + readRR := httptest.NewRecorder() + http.HandlerFunc(srv.storeReadHandler).ServeHTTP(readRR, readReq) + + if readRR.Code != http.StatusAccepted { + t.Fatalf("store read returned status %d, want %d", readRR.Code, http.StatusAccepted) + } + + expectedHeaders := map[string]string{ + "Content-Type": "application/octet-stream", + "X-Content-Type-Options": "nosniff", + "Content-Security-Policy": "default-src 'none'", + } + for header, want := range expectedHeaders { + if got := readRR.Header().Get(header); got != want { + t.Errorf("%s = %q, want %q", header, got, want) + } + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mw8w-q3f7-2v85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-70849ghsaADVISORY
- gist.github.com/kazisabu/27f3e272f474005001a9ecd2c258dbeaghsaWEB
- github.com/stefanprodan/podinfo/commit/83deb7fcb7421f2d01eeb7475b18d72f16084aedghsaWEB
- github.com/stefanprodan/podinfo/pull/463ghsaWEB
- github.com/stefanprodan/podinfo/releases/tag/6.11.1ghsaWEB
News mentions
0No linked articles in our index yet.