Skip to content

[Security] Insufficient server-side MIME type verification for image and media uploads #588

Description

@Pratikshya32

Description

In the backend message controllers, uploaded images are processed via Cloudinary base64 upload without checking the actual file signature or magic bytes. Users can bypass the file extension filter and upload executable files or scripts disguised as images.

Impact

Storage and distribution of malicious payloads or scripts on the server/Cloudinary domain.

Proposed Fix

  • Add file signature/magic byte verification (e.g. using file-type library) to validate that uploaded files match their declared image MIME types before passing them to the Cloudinary uploader.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions