Path Traversal in Media Upload Handle in Tina

A path traversal vulnerability, identified as CWE-22, exists in the TinaCMS development server's media upload handler. The vulnerable code in media.ts at lines 42-43 takes a user-controlled path from the URL, splits it on slashes, and passes it to path.join() without validating that the resulting path remains within the intended mediaFolder directory [1][2]. Because path.join() resolves .. segments, an attacker can supply a path like ../../../tmp/evil.txt to escape the media directory and write folder and write files anywhere on the filesystem [1].

The attack is exploitable over the network via an HTTP POST request to the /media/upload/ endpoint. No authentication is required, special privileges, or prior access is required; the development server is directly reachable [1]. The same traversal pattern also affects the delete handler may also be affected, allowing arbitrary file deletion [1].

Successful exploitation grants the attacker arbitrary file write capability. This can be leveraged to overwrite critical system files, inject malicious scripts, or achieve remote code execution on the server running the TinaCMS development server [1][2]. The impact is rated as critical due to the low attack complexity and high potential for full system compromise [2].

The vulnerability is patched in TinaCMS version 2.1.7 [1][2]. Users are strongly advised to upgrade immediately. No known workarounds are provided; disabling the media endpoint on untrusted networks is a temporary mitigation [1].