CVE-2022-29623 – CVE-2022-29623 is an arbitrary file upload vuln... (How to Fix)

Q: What is the severity of CVE-2022-29623?

CVE-2022-29623 has a CVSS score of 7.8 (HIGH). CVE-2022-29623 is an arbitrary file upload vulnerability in Express Connect-Multiparty 2.2.0 that allows attackers to upload malicious PDF files, potentially leading to remote code execution. This affects web applications using the vulnerable middleware for file uploads. The vulnerability stems from insufficient file type validation.

📋 TL;DR

CVE-2022-29623 is an arbitrary file upload vulnerability in Express Connect-Multiparty 2.2.0 that allows attackers to upload malicious PDF files, potentially leading to remote code execution. This affects web applications using the vulnerable middleware for file uploads. The vulnerability stems from insufficient file type validation.

💻 Affected Systems

Products:

Express Connect-Multiparty

Versions: 2.2.0 only

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using connect-multiparty middleware for file uploads. The vulnerability report has not been verified by the supplier.

📦 What is this software?

Connect Multiparty by Connect Multiparty Project

View all CVEs affecting Connect Multiparty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with attacker gaining shell access, data exfiltration, and lateral movement within the network.

🟠

Likely Case

File system access allowing attackers to read sensitive files, modify application data, or deploy web shells for persistent access.

🟢

If Mitigated

Upload attempts are blocked or quarantined with no successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

YouTube videos demonstrate exploitation techniques. The vulnerability requires file upload functionality to be accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Upgrade to connect-multiparty 2.2.1 or later

Vendor Advisory: https://github.com/expressjs/connect-multiparty/releases/tag/2.2.0

Restart Required: Yes

Instructions:

1. Update package.json to use connect-multiparty >=2.2.1. 2. Run 'npm update connect-multiparty'. 3. Restart the Node.js application.

🔧 Temporary Workarounds

Implement File Type Validation

all

Add server-side validation to reject PDF files or implement strict file type checking

Disable File Uploads

all

Temporarily disable file upload functionality until patching is complete

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block malicious file uploads
Isolate the vulnerable application in a restricted network segment

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list connect-multiparty' to see if version 2.2.0 is installed

Check Version:

npm list connect-multiparty | grep connect-multiparty

Verify Fix Applied:

Verify installed version is 2.2.1 or later using 'npm list connect-multiparty'

📡 Detection & Monitoring

Log Indicators:

Unusual file upload attempts, especially PDF files with suspicious names or content
Errors from file validation middleware

Network Indicators:

HTTP POST requests to upload endpoints with PDF files
Unusual outbound connections from the application server

SIEM Query:

source="web_server" AND (method="POST" AND uri="*upload*" AND file_extension="pdf")

📊 Metadata

CVE ID: CVE-2022-29623

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: May 16, 2022

Last Updated: May 20, 2025

🔗 References

https://github.com/expressjs/connect-multiparty/releases/tag/2.2.0
https://www.npmjs.com/package/connect-multiparty
https://www.youtube.com/watch?v=i3xJR-91rrM Exploit,Third Party Advisory
https://www.youtube.com/watch?v=i3xJR-91rrM Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29623, you might also want to check these: