File Browser TUS Upload Handler Negative Length Vulnerability Allows Exec Hook Abuse

A vulnerability exists in File Browser versions 2.61.2 and below within the TUS resumable upload handler. The issue arises because the Upload-Length header is parsed as a signed 64-bit integer without checking if the value is non-negative. This flaw enables an authenticated user to submit a negative value, which immediately satisfies the upload completion condition on the first PATCH request. As a result, the server executes after_upload exec hooks with empty or partial files. This exploitation allows an attacker to repeatedly trigger any configured hook with arbitrary filenames and no data. The vulnerability could lead to a denial-of-service, command injection amplification, or abuse of upload-driven workflows. All deployments using the TUS upload endpoint (/api/tus) are affected, with the exec hook vulnerability escalating the impact to remote command execution.

Impact

Exploitation of this vulnerability, particularly when the exec hooks are enabled, allows for remote command execution. An attacker can trigger after_upload exec hooks multiple times with controlled filenames and no file content. This could disrupt services by invoking resource-intensive processes, such as virus scanning or database operations, without any cost to the attacker. Additionally, if the hooked command execution is exploited, it could lead to further command injection vulnerabilities.

Reproduction

To reproduce this vulnerability, an authenticated user with upload permissions can initiate a TUS upload by sending a POST request to the /api/tus endpoint with a negative Upload-Length value. The first PATCH request can then be sent with an empty body, which will trigger the after_upload exec hook immediately, despite no data being uploaded. This process can be repeated indefinitely, causing the hook to fire multiple times with zero bytes uploaded.

Remediation

Users are advised to disable the command execution feature by default. For current installations, this feature can be re-activated by using the --disable-exec=false flag or setting the FB_DISABLE_EXEC environment variable to false.