CVE-2024-29409
File Upload Bypass Vulnerability in NestJS file-type.validator.ts
Vulnerability Summary:
A file upload bypass vulnerability exists in the file-type.validator.ts implementation within the NestJS framework (versions prior to 10.x.x) that allows attackers to bypass MIME type checks during file uploads. The flaw arises from an incorrect or insufficient validation of the Content-Type header and the actual file content type. This allows an attacker to upload files with a mismatched Content-Type, leading to possible security issues, such as remote code execution, file disclosure, or data exfiltration.
Vulnerable Component:
- Component:
@nestjs/common - File:
file-type.validator.ts - Affected Versions: Versions prior to 10.x.x
- Vulnerable API:
@nestjs/commonfile upload functionality (viaFileTypeValidator)
Attack Vector:
The vulnerability is triggered when an attacker manipulates the Content-Type header in a multipart form-data request, which the NestJS framework does not adequately validate in the file-type.validator.ts file. By uploading a file with a different MIME type (e.g., text/html) while keeping the file extension (e.g., .docx), the framework may incorrectly accept the file and bypass necessary checks, allowing potentially malicious files to be uploaded.
Steps to Reproduce:
- Create a NestJS application that handles file uploads using the
FileTypeValidator. - Use a
POSTrequest to upload a file via a form withContent-Type: multipart/form-data. - Manipulate the
Content-Typeof the file part to an incorrect MIME type, such astext/htmlwhile keeping the file extension as.docxor any other allowed extension. - The NestJS server accepts the upload due to insufficient MIME type validation.
- The attacker successfully uploads a malicious file, which could potentially lead to further exploitation (e.g., shell execution, data leakage).
Example Malicious Request:
POST /upload HTTP/1.1
Host: localhost:3000
User-Agent: curl/8.7.1
Accept: */*
Content-Length: 272
Content-Type: multipart/form-data; boundary=------------------------A7V5gtNRD2195N62afxDmH
Connection: keep-alive
--------------------------A7V5gtNRD2195N62afxDmH
Content-Disposition: form-data; name="file"; filename="test.html"
Content-Type: image/jpeg
<html>
<body>
Example PoC for GHSA-cj7v-w2c7-cp7c
</body>
</html>
--------------------------A7V5gtNRD2195N62afxDmH--
Root Cause Analysis:
The issue stems from the file-type.validator.ts file in NestJS, which uses basic MIME type checks based on the Content-Type header in the HTTP request. However, an attacker can forge or modify the Content-Type header, allowing a file with an allowed extension (e.g., .docx) to be uploaded as a different MIME type (e.g., text/html), bypassing server-side checks.
Potential Impact:
- Remote Code Execution (RCE): If the uploaded file is executable or contains malicious code (e.g., a PHP web shell disguised as a
.docxfile), it may be executed on the server. - Data Exfiltration or Corruption: Malicious files could be used to corrupt data or leak sensitive information.
- Webshell Upload: The attacker could upload a web shell or script to gain unauthorized access to the server.
- Security Misconfiguration: Since the file is uploaded and processed with a mismatched MIME type, it may be stored or executed in an unsafe manner.
Mitigation:
- Update to the Latest NestJS Version: Upgrade to NestJS version 10.x.x or higher, which includes improved validation and handling of file uploads.
- Enhance MIME Type Validation: Ensure the server checks both the
Content-Typeheader and the actual file content using file signature checking (i.e., by examining the magic bytes of the file). - Limit File Types: Restrict file uploads to a whitelist of file types and extensions that are necessary for the application.
- File Size and File Signature Checks: Implement additional checks to verify that the uploaded file's contents match its expected format, using libraries like
file-typeormagic-bytes.
Reference: