CVE-2022-27140

Name of the Vulnerable Software and Affected Versions express-fileupload version 1.3.1

Description An arbitrary file upload vulnerability in the file upload module of express-fileupload allows attackers to execute arbitrary code via a crafted PHP file. The vendor's position is that the observed behavior can only occur with intentional misusing of the API, as the express-fileupload middleware is not responsible for an application's business logic, such as determining whether or how a file should be renamed.

Recommendations For express-fileupload version 1.3.1, consider disabling the file upload module until a patch is available to prevent the execution of arbitrary code via crafted PHP files. Restrict access to the file upload functionality to minimize the risk of exploitation. Avoid using the file upload module with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.