Capgo - Denial of Service via Unauthenticated OPTIONS Request to /build/upload Endpoint
Description
Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid credentials, enabling trivial request flooding and denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<12.128.2+ 1 more
- (no CPE)range: <12.128.2
- (no CPE)range: <12.128.2
Patches
Vulnerability mechanics
Root cause
"Missing authentication check on the OPTIONS route handler allows unauthenticated requests to reach internal build upload logic with an invalid auth context."
Attack vector
An unauthenticated attacker sends an HTTP OPTIONS request to `/build/upload/:jobId` or `/build/upload/:jobId/*` endpoints. The authentication middleware (`middlewareKey`) is skipped for OPTIONS requests, so the request reaches `tusProxy()` without a valid auth context. Downstream logic expects a valid build/job state and fails, returning a consistent HTTP 500 error. This works regardless of whether the `jobId` exists, enabling trivial request flooding and denial of service.
Affected code
The vulnerability is in `supabase/functions/_backend/public/build/index.ts` where the `app.options('/upload/:jobId/*', ...)` handler bypasses authentication middleware and directly invokes `tusProxy()` with a synthetic empty API key object `{ user_id: '', key: '' }`. This causes downstream logic to fail and return a generic `unknown_error` with HTTP 500.
What the fix does
The advisory does not include a patch diff, but the remediation would require either applying authentication middleware to the OPTIONS route handler or ensuring that `tusProxy()` gracefully handles missing/invalid auth context without producing a 500 error. The advisory notes that OPTIONS requests should be safe and non-failing per TUS protocol expectations, so the fix should prevent unauthenticated requests from reaching internal build upload logic.
Preconditions
- authNo authentication required; attacker can be unauthenticated
- networkAttacker must be able to send HTTP OPTIONS requests to the target API endpoint
- inputNo valid jobId needed; any arbitrary string works
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-6c7m-4223-446jmitrevendor-advisory
- www.vulncheck.com/advisories/capgo-denial-of-service-via-unauthenticated-options-request-to-build-upload-endpointmitrethird-party-advisory
News mentions
0No linked articles in our index yet.