Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13NG02LXg2YzItajVjOc07AQ

Express-FileUpload Arbitrary File Overwrite

An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server. This vulnerability is debated by the package author.

Permalink: https://github.com/advisories/GHSA-w4m6-x6c2-j5c9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NG02LXg2YzItajVjOc07AQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.001
EPSS Percentile: 0.42643

Identifiers: GHSA-w4m6-x6c2-j5c9, CVE-2022-27261
References: Repository: https://github.com/richardgirges/express-fileupload
Blast Radius: 33.2

Affected Packages

npm:express-fileupload
Dependent packages: 796
Dependent repositories: 26,468
Downloads: 1,818,118 last month
Affected Version Ranges: <= 1.3.1
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.3.0, 0.4.0, 1.0.0, 1.1.4, 1.1.5, 1.1.6, 1.1.8, 1.1.9, 1.1.10, 1.2.0, 1.2.1, 1.3.0, 1.3.1