Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.
An attacker can pass crafted input to the `name` parameter during file upload. The library does not properly validate this value, which allows for path traversal — saving a file in any location on the server outside the intended target directory. At the same time, it is possible to bypass file extension controls, and through SSTI the attacker can trigger execution of malicious code on the server side.
An attacker can write any file to a selected location on the server and execute remote code (RCE) on it, which can lead to complete system takeover, disclosure of sensitive data, or compromise of data integrity.
Flask-Reuploaded should be updated to version 1.5.0, in which the vulnerability has been fixed. As a temporary workaround: user input should not be passed to the `name` parameter — instead, only auto-generated file names should be used; if use of the `name` parameter is necessary, strict input validation should be implemented.
All versions of the Jugmac00 Flask-Reuploaded library before version 1.5.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJugmac00 Flask Reuploaded
APPJugmac00< 1.5.0