fohrloop dash-uploader Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability exists in fohrloop dash-uploader versions 0.1.0 through 0.7.0a2. The issue arises in the dash_uploader/httprequesthandler.py and dash_uploader/upload.py components, specifically within the Upload function. The vulnerability is triggered by the max_file_size parameter, which is not properly validated, allowing remote attackers to execute arbitrary code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the vulnerable version of dash-uploader is installed.

Reproduction

To reproduce this vulnerability, upload a file using the dash-uploader component in a Dash application. Set the 'resumableTotalChunks' parameter to a high value, such as 30 million, which will trigger the Linux Out-Of-Memory (OOM) killer, causing the server process to crash. Alternatively, set 'resumableTotalChunks' to 0, which will truncate the uploaded file to zero bytes. This can be done by sending a POST request to the '/API/resumable' endpoint with the appropriate parameters.

Remediation

Users are advised to migrate to Plotly Dash's built-in 'dcc.Upload' component, which does not have these vulnerabilities. If that is not possible, set Flask's 'MAX_CONTENT_LENGTH' to enforce size limits and add a cleanup mechanism for orphaned upload directories.