Flask-Reuploaded Path Traversal Vulnerability Leading to Remote Code Execution

A critical path traversal and extension bypass vulnerability has been identified in Flask-Reuploaded versions prior to 1.5.0. This vulnerability allows remote attackers to write arbitrary files and execute remote code through Server-Side Template Injection (SSTI). The issue arises from improper handling of the 'name' parameter in file uploads, which can be exploited to traverse directories and bypass file extension restrictions.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes and remote code execution on the server.

Reproduction

The vulnerability can be reproduced by uploading a file through the 'name' parameter while including path traversal sequences, such as '../../../', to navigate the file system. This can be done using a tool like Burp Suite to intercept and modify the upload request. After bypassing the file extension validation by, for example, using a double extension like 'backdoor.py.jpg', the uploaded file can be crafted to execute code on the server via a Flask template injection.

Remediation

Users are advised to upgrade to Flask-Reuploaded version 1.5.0 or later. If using an older version, do not pass user-controlled input to the 'name' parameter, utilize auto-generated filenames, and implement strict input validation if the 'name' parameter must be used.