PT-2026-53432 · Pypi · Flask-Reuploaded
Publicado
2026-06-29
·
Atualizado
2026-06-29
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Impact
A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI).
Patches
Flask-Reuploaded has been patched in version 1.5.0
Workarounds
- Do not pass user input to the
nameparameter - Use auto-generated filenames only
- Implement strict input validation if
namemust be used
python
from werkzeug.utils import secure filename
import os
# Sanitize user input before passing to save()
safe name = secure filename(request.form.get('custom name'))
# Remove path separators
safe name = os.path.basename(safe name)
# Validate extension matches policy
if not photos.extension allowed(photos.get extension(safe name)):
abort(400)
filename = photos.save(file, name=safe name)Resources
The fix is documented in the pull request, see https://github.com/jugmac00/flask-reuploaded/pull/180.
A proper write-up was created by the reporter of the vulnerability, Jaron Cabral (https://www.linkedin.com/in/jaron-cabral-751994357/), but is not yet available as of time of this publication.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Flask-Reuploaded