CVE CyberSecurity Database News

CVE-2022-27261 - Arbitrary File Overwrite in Express-FileUpload v1.3.1 Explained

Poster -

The Node.js ecosystem is rich with modules to make development easy. But sometimes popular modules come with security issues. In this post, we'll dive deep into CVE-2022-27261, a critical vulnerability in the widely-used express-fileupload middleware. We'll explain how this arbitrary file write happens, show exploit details, and discuss how to stay safe. If you're running Express apps that let users upload files, you need to pay attention to this one.

What is Express-FileUpload?

express-fileupload is an easy-to-use middleware for handling file uploads in Node.js and Express applications. It parses incoming file uploads and saves them to disk or memory. Due to its simplicity, it's included in countless codebases.

What happened?

In version 1.3.1 (and earlier), express-fileupload does not properly prevent multiple files with _identical filenames_ from being uploaded at the same time. That means an attacker could upload files that overwrite each other by simply naming them the same. This leads to arbitrary file write, paving the way for impacting data integrity—or even remote code execution if malicious scripts are overwritten.

How does it work?

Normally, you'd expect the upload handler to assign a unique name if multiple files are uploaded with the same filename. But in express-fileupload v1.3.1, the library just takes the last file in the multipart form data and writes it to the server disk. Any existing file with the same name gets overwritten without warning.

Imagine these steps

1. User uploads report.pdf to /uploads/report.pdf

The attacker's file overwrites the legitimate file in the web server's uploads directory.

Or, in a multi-upload scenario, if the attacker submits several report.pdf files in the same request, only the last one will end up on the server—potentially chosen maliciously.

Exploiting CVE-2022-27261: Proof of Concept

Here's a simple, practical example of using curl to exploit the vulnerability.

Example vulnerable code (server)

const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();

app.use(fileUpload());

app.post('/upload', function(req, res) {
  let sampleFile;
  let uploadPath;

  sampleFile = req.files.sampleFile;
  uploadPath = __dirname + '/uploads/' + sampleFile.name;

  sampleFile.mv(uploadPath, function(err) {
    if (err)
      return res.status(500).send(err);
    res.send('File uploaded!');
  });
});

Exploit request using cURL

curl -F "sampleFile=@file1.txt" -F "sampleFile=@file2.txt" http://localhost:300/upload


Both file1.txt and file2.txt have the same file name (say, info.txt), the second one will overwrite the first. The server ends up with only the second info.txt on disk.

What's worse:
If you know the web root path, you could overwrite server files like index.html or even inject server-executable files (for example, in insecure deployments).

Integrity loss: Legitimate user files can be overwritten and lost without any notice.

- Malicious replacement: Attacker could replace a harmless file with something malicious (a poisoned image, for example).
- Remote Code Execution (RCE): If your upload directory is public (or web root), an attacker could overwrite a file with malicious code, causing the server to execute it.
- Dos: By repeatedly overwriting a file, the server resources can be exhausted or logs tampered with.

Upgrade to version 1.4. or above.

Express-fileupload patched this in PR #295 by preventing multiple files from being uploaded with the same field name and the same file name, and by offering better controls.

How to upgrade

npm install express-fileupload@latest

References

- CVE-2022-27261 on NVD
- Original Issue Report
- express-fileupload Changelog
- Exploit Database Entry

Final Thoughts

CVE-2022-27261 reminds us that even simple file upload tasks can lead to serious vulnerabilities. Attackers love finding ways to overwrite files on a server, as it's a stepping stone for bigger exploits. Even if it _looks_ harmless, never trust user-uploaded files—always store them in a secure, segregated way with unique names and strong validation. Upgrade your dependencies regularly, and check public advisories!


If your app uses express-fileupload below version 1.4., update it NOW. Always handle file uploads with care.

---
*Written by an infosec enthusiast. If you have comments or questions, join the discussion below!*

Timeline

Published on: 04/12/2022 17:15:00 UTC
Last modified on: 04/19/2022 19:35:00 UTC