Skip to content

Commit 8a939ff

Browse files
1 parent da00dfd commit 8a939ff

4 files changed

Lines changed: 285 additions & 0 deletions

File tree

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3p4h-7m6x-2hcm",
4+
"modified": "2026-06-17T18:11:48Z",
5+
"published": "2026-06-17T18:11:48Z",
6+
"aliases": [
7+
"CVE-2026-5038"
8+
],
9+
"summary": "Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads",
10+
"details": "### Impact\n\nA vulnerability in Multer allows an attacker to trigger a Denial of Service (DoS) by aborting or sending malformed multipart uploads, causing orphaned partial files to accumulate on disk when using diskStorage.\n\n### Patches\n\nUsers should upgrade to `2.2.0`, `3.0.0-alpha.2` or higher\n\n### Workarounds\n\nNone",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "multer"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "2.0.0-alpha.1"
29+
},
30+
{
31+
"fixed": "2.2.0"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "multer"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "3.0.0-alpha.1"
48+
},
49+
{
50+
"fixed": "3.0.0-alpha.2"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5038"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://cna.openjsf.org/security-advisories.html"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/expressjs/multer"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-459"
78+
],
79+
"severity": "MODERATE",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-06-17T18:11:48Z",
82+
"nvd_published_at": "2026-06-15T16:16:34Z"
83+
}
84+
}
Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-72gw-mp4g-v24j",
4+
"modified": "2026-06-17T18:12:27Z",
5+
"published": "2026-06-17T18:12:27Z",
6+
"aliases": [
7+
"CVE-2026-5079"
8+
],
9+
"summary": "Multer vulnerable to Denial of Service via deeply nested field names",
10+
"details": "### Impact\n\nMulter is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The `append-field` dependency parses bracket notation in field names (e.g., `a[b][c]`) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.\n\n### Patches\n\nUsers should upgrade to `2.2.0` and configure `limits.fieldNestingDepth` to the minimum depth their application requires.\n\n### Workarounds\n\nSet `limits.fields` to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "multer"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.0.0"
29+
},
30+
{
31+
"fixed": "2.2.0"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "multer"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "3.0.0-alpha.1"
48+
},
49+
{
50+
"fixed": "3.0.0-alpha.2"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5079"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://cna.openjsf.org/security-advisories.html"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/expressjs/multer"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-400"
78+
],
79+
"severity": "HIGH",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-06-17T18:12:27Z",
82+
"nvd_published_at": "2026-06-15T14:16:37Z"
83+
}
84+
}
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-9cpj-qc93-vw8v",
4+
"modified": "2026-06-17T18:10:19Z",
5+
"published": "2026-06-17T18:10:19Z",
6+
"aliases": [
7+
"CVE-2026-28737"
8+
],
9+
"summary": "Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer",
10+
"details": "## Summary\n\nMe again.\n\nGitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name and Gitea inserts it into the DOM using `innerHTML` without sanitization. An attacker who can push a `.gltf` file to any repository can execute arbitrary JavaScript in the context of any user who views the file.\n\n## Affected Versions\n\n- Gitea **1.25.0** and later (3D file preview was introduced in 1.25 via the Online3DViewer integration)\n- Confirmed on `gitea:1.25-nightly` (SHA `e33d1da...`), which bundles `online-3d-viewer` npm package v0.16.0\n- The upstream [Online3DViewer](https://github.com/kovacsv/Online3DViewer) library is the root cause\n\n## Severity\n\n- Stored XSS: the payload persists in the repository and fires on every page view\n- Executes under the Gitea origin with the victim's session (cookies, CSRF tokens)\n- Any authenticated user viewing the file is compromised\n- Enables full account takeover (token creation, settings modification, repository manipulation)\n- No user interaction beyond viewing the file page is required\n\n## Details\n\n### Root Cause\n\nWhen Online3DViewer parses a glTF file, it checks whether all `extensionsRequired` entries are supported. For unsupported extensions, it calls:\n\n```javascript\n// In the Online3DViewer bundle (online-3d-viewer.js)\n// Approximate offset 1142618 in the bundled chunk\nthis.SetError(yp(\"Unsupported extension: {0}.\", unsupportedExtensions.join(\", \")));\n```\n\nThe `SetError` method stores this message, and Gitea's rendering code inserts it into the page using `innerHTML`:\n\n```javascript\n// Gitea's error display handler\nelement.innerHTML = errorMessage; // unsanitized\n```\n\nThe extension names from `extensionsRequired` are taken directly from the JSON file with no escaping or sanitization, allowing HTML injection.\n\n### Attack Vector\n\n1. An attacker creates a `.gltf` file with a malicious `extensionsRequired` value:\n\n```json\n{\n \"asset\": {\"version\": \"2.0\"},\n \"buffers\": [],\n \"extensionsRequired\": [\"<img src=x onerror=\\\"alert(document.cookie)\\\">\"],\n \"scenes\": []\n}\n```\n\n2. The attacker pushes this file to any Gitea repository they have write access to (including forks of public repositories).\n\n3. When any user navigates to the file's page in the Gitea web UI, the 3D viewer attempts to render it, encounters the \"unsupported extension,\" and inserts the error message (containing the attacker's HTML) into the DOM via `innerHTML`.\n\n4. The injected `<img onerror>` handler executes arbitrary JavaScript under the Gitea origin with the victim's authenticated session.\n\n### Impact\n\nFrom the XSS context, an attacker can:\n\n- **Create API access tokens** for the victim by POSTing to `/user/settings/applications` with the page's CSRF token\n- **Read private repositories** via same-origin API calls\n- **Modify repository contents** (supply chain attacks)\n- **Escalate to admin** if the victim is a Gitea administrator\n- **Exfiltrate data** via `fetch`, `XMLHttpRequest`, or `navigator.sendBeacon`\n\n## Proof of Concept\n\n### Minimal PoC (alert box)\n\nSave as `poc.gltf` and push to any Gitea 1.25+ repository:\n\n```json\n{\n \"asset\": {\"version\": \"2.0\"},\n \"buffers\": [],\n \"extensionsRequired\": [\"<img src=x onerror=\\\"alert('XSS: '+document.domain)\\\">\"],\n \"scenes\": []\n}\n```\n\nNavigate to the file in the Gitea web UI. The alert will fire.\n\n\n## Suggested Fixes\n\nSanitize or text-encode the error message before DOM insertion. Replace `innerHTML` with `textContent` for error display:\n\n```javascript\n// Instead of:\nelement.innerHTML = errorMessage;\n\n// Use:\nelement.textContent = errorMessage;\n```\n\nAlternatively, escape HTML entities in the error message before insertion.\n\n### Additional hardening\n\n- Render 3D file previews inside a sandboxed `<iframe>` with `sandbox=\"allow-scripts\"` and a restrictive CSP (`default-src 'none'`), similar to how Gitea already handles SVG attachments\n- Apply Content-Security-Policy headers to file preview pages that restrict inline script execution",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "code.gitea.io/gitea"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.25.0"
29+
},
30+
{
31+
"fixed": "1.26.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-9cpj-qc93-vw8v"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/go-gitea/gitea"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-79"
51+
],
52+
"severity": "HIGH",
53+
"github_reviewed": true,
54+
"github_reviewed_at": "2026-06-17T18:10:19Z",
55+
"nvd_published_at": null
56+
}
57+
}
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-j5r2-4c8j-xc3m",
4+
"modified": "2026-06-17T18:10:46Z",
5+
"published": "2026-06-17T18:10:46Z",
6+
"aliases": [
7+
"CVE-2026-25779"
8+
],
9+
"summary": "Gitea: Open Redirect via redirect_to",
10+
"details": "### Details\n\nDespite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the \"redirect_to\" parameter.\n\n### PoC\n\nWhen a user uses this URL to login:\n\n`https://gitea.com/user/login?redirect_to=/a/../\\example.com`\n\nThey would be redirected to `example.com` upon a successful login to their gitea account.\n\n### Impact\n\n* Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages\n* OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect\n* Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header\n* Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/go-gitea/gitea"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.26.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.25.4"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-j5r2-4c8j-xc3m"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/go-gitea/gitea"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-601"
54+
],
55+
"severity": "MODERATE",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-06-17T18:10:46Z",
58+
"nvd_published_at": null
59+
}
60+
}

0 commit comments

Comments
 (0)