CVE-2022-32114 – An unrestricted file upload vulnerability in St... (How to Fix)

Q: What is the severity of CVE-2022-32114?

CVE-2022-32114 has a CVSS score of 8.8 (HIGH). An unrestricted file upload vulnerability in Strapi 4.1.12 allows authenticated users with upload permissions to upload PDF files containing JavaScript, which can lead to cross-site scripting (XSS) attacks when accessed. This affects Strapi instances where PDF uploads are permitted and files are stored in publicly accessible folders. Attackers can execute arbitrary JavaScript in victims' browsers by tricking them into viewing malicious PDFs.

📋 TL;DR

An unrestricted file upload vulnerability in Strapi 4.1.12 allows authenticated users with upload permissions to upload PDF files containing JavaScript, which can lead to cross-site scripting (XSS) attacks when accessed. This affects Strapi instances where PDF uploads are permitted and files are stored in publicly accessible folders. Attackers can execute arbitrary JavaScript in victims' browsers by tricking them into viewing malicious PDFs.

💻 Affected Systems

Products:

Strapi

Versions: 4.1.12 (specifically mentioned), potentially other 4.x versions with similar configurations

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires: 1) User with 'Create (upload)' permission, 2) PDF uploads allowed in configuration, 3) Files stored in public assets folder (default behavior unless filename starts with dot).

📦 What is this software?

Strapi by Strapi

View all CVEs affecting Strapi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent XSS capabilities, potentially stealing session cookies, performing actions as authenticated users, or delivering malware to administrators and users.

🟠

Likely Case

Authenticated attackers upload malicious PDFs to conduct XSS attacks against other users who view or download these files, leading to session hijacking or credential theft.

🟢

If Mitigated

If PDF uploads are disabled or files are stored in non-public locations, impact is limited to internal users with access to the media library.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with upload permissions. Crafting malicious PDFs with JavaScript is well-documented and tools exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.13 and later

Vendor Advisory: https://github.com/strapi/strapi/security/advisories/GHSA-5h3v-vpr8-5jvx

Restart Required: Yes

Instructions:

1. Backup your Strapi instance. 2. Update Strapi to version 4.1.13 or later using npm: 'npm update strapi@4.1.13'. 3. Restart the Strapi server. 4. Verify the update with 'npm list strapi'.

🔧 Temporary Workarounds

Disable PDF uploads

all

Configure Strapi to only allow image, video, and audio file uploads, excluding PDF files.

Edit config/plugins.js or config/middleware.js to set allowedTypes: ['images', 'videos', 'audios']

Restrict public access

all

Configure Strapi to store uploaded files in non-public directories or use filename patterns that prevent public access.

Set public assets configuration to use private storage or implement middleware to check file access

🧯 If You Can't Patch

Immediately disable PDF uploads in Strapi configuration to prevent exploitation.
Review and audit all existing uploaded PDF files for malicious content and remove suspicious files.

🔍 How to Verify

Check if Vulnerable:

Check Strapi version: if running 4.1.12 or earlier with PDF uploads enabled and public asset storage, the system is vulnerable.

Check Version:

npm list strapi | grep strapi

Verify Fix Applied:

After updating, verify version is 4.1.13 or later and test that PDF uploads are properly restricted or stored securely.

📡 Detection & Monitoring

Log Indicators:

Unusual PDF uploads from user accounts, especially large or frequent uploads
Access logs showing requests to PDF files with suspicious parameters or from unexpected sources

Network Indicators:

HTTP requests to PDF files containing JavaScript payloads in URLs or parameters
Unusual outbound connections from Strapi server after PDF access

SIEM Query:

source="strapi" AND (event="file_upload" AND file_extension="pdf") OR (url="*.pdf" AND (query="*javascript*" OR user_agent="*suspicious*"))

📊 Metadata

CVE ID: CVE-2022-32114

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: July 13, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32114, you might also want to check these: