CVE-2021-32708

Name of the Vulnerable Software and Affected Versions Flysystem versions 1.x through 1.1.3 Flysystem versions 2.x through 2.1.0

Description The issue arises from the whitespace normalisation in Flysystem, which removes any unicode whitespace. This could potentially allow a malicious user to execute code remotely under certain conditions. These conditions include: a user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname is checked against an extension deny-list (not an allow-list), the supplied path or filename contains a unicode whitespace char in the extension, and the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met, a user can upload and execute arbitrary code on the system under attack.

Recommendations For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.