File Upload No Validation
Accepting file uploads without verifying type, size, or content allows attackers to upload malicious executables, web shells, or oversized files that crash the server.
How It Works
When an application accepts file uploads without validation, attackers can upload files that the server should never process. A PHP web shell disguised as an image can execute arbitrary commands when accessed via URL. An executable uploaded as a document can compromise other users who download it. Oversized files can fill disk space and cause denial of service. Even with client-side validation, attackers bypass it trivially using curl or Burp Suite. The server must independently validate file type (by content, not just extension), enforce size limits, and store files outside the web root.
const multer = require('multer');
const upload = multer({ dest: 'public/uploads/' });
app.post('/upload', upload.single('file'), (req, res) => {
res.json({ url: `/uploads/${req.file.filename}` });
});const multer = require('multer');
const upload = multer({
dest: 'private/uploads/',
limits: { fileSize: 5 * 1024 * 1024 },
fileFilter: (req, file, cb) => {
const allowed = ['image/jpeg', 'image/png', 'image/webp'];
cb(null, allowed.includes(file.mimetype));
}
});Real-World Example
In 2023, a file upload vulnerability in MOVEit Transfer (CVE-2023-34362) was exploited by the Clop ransomware gang. Attackers uploaded web shells through the file transfer service, compromising over 2,500 organizations including Shell, British Airways, and the BBC.
How to Prevent It
- Validate file MIME type by reading file content headers, not just the extension
- Enforce strict file size limits using multer's limits option
- Store uploaded files outside the web root in a private directory
- Generate random filenames and never use the original filename from the user
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Path Traversal
highFile paths constructed with unvalidated user input allow attackers to read or write arbitrary files on the server using ../ sequences.
SVG with JavaScript
mediumAccepting SVG uploads without sanitization allows attackers to embed JavaScript in SVG files, enabling XSS attacks when the SVG is rendered in a browser.
EXIF Not Stripped
lowImages served without stripping EXIF metadata can leak GPS coordinates, device information, timestamps, and other sensitive data about the person who took the photo.
PDF Generation Injection
mediumInjecting HTML or JavaScript into PDF generation templates allows attackers to read server-side files, make internal network requests, or execute scripts in the PDF viewer.