Skip to content

Enrich GHSA-3rf6-x59v-5jfv (CVE-2026-38360, dash-uploader path traversal RCE) #7635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
a1ohadance wants to merge 2 commits into
base: a1ohadance/advisory-improvement-7635
Choose a base branch
from
+43 −8
Open

Enrich GHSA-3rf6-x59v-5jfv (CVE-2026-38360, dash-uploader path traversal RCE) #7635

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
53b5b0a
Enrich GHSA-3rf6-x59v-5jfv (CVE-2026-38360) with PyPI package, versio…
a1ohadance May 9, 2026
ad3da48
Drop explicit versions list per processor feedback; keep ECOSYSTEM ra…
a1ohadance May 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 43 additions & 8 deletions advisories/unreviewed/2026/05/GHSA-3rf6-x59v-5jfv/GHSA-3rf6-x59v-5jfv.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,41 @@
"aliases": [
"CVE-2026-38360"
],
"details": "Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components",
"summary": "dash-uploader vulnerable to unauthenticated path traversal leading to remote code execution",
"details": "### Impact\n\nAn unauthenticated path traversal vulnerability exists in [dash-uploader](https://pypi.org/project/dash-uploader/) versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at `dash_uploader/httprequesthandler.py` reads three form parameters (`upload_id`, `resumableFilename`, `resumableIdentifier`) from `request.form.get()` and passes them directly to `os.path.join()` and `os.makedirs()` without any sanitization.\n\nA single unauthenticated `POST /API/dash-uploader` request with `upload_id` set to a relative path (e.g. `../../etc/cron.d` or `../venv/lib/python3.13/site-packages`) escapes the application's `uploads/` directory and writes the supplied file content to the chosen target path under the privilege of the gunicorn / WSGI process.\n\nWhen the chosen target is a Python `site-packages` directory and the dropped file is a `.pth` file containing an `import`-prefixed line, Python's `site` module executes that line on the next interpreter startup, yielding remote code execution. Other escalation paths reachable from the same primitive include overwriting the running WSGI module, dropping `~/.ssh/authorized_keys`, or writing JavaScript into a Dash-served `assets/` directory for stored XSS.\n\n### Affected versions\n\nAll 16 published PyPI releases (`0.1.0` through `0.7.0a2`) are affected. The package repository was archived on 2025-07-19; **no patched version exists**.\n\n### Mitigation\n\nReplace `dash-uploader` with an alternative file-upload component (for example, `dash-resumable-upload`, server-rendered `<input type=\"file\">` plus a hardened Flask endpoint, or a maintained Dash community alternative). There is no upstream fix path.\n\nWhile a replacement is being deployed, mitigations include:\n\n* Block `POST /API/dash-uploader` at an upstream proxy, OR\n* Run the application as an unprivileged user with no write access to its own `site-packages`, OR\n* Use a read-only filesystem for the application's code directories.\n\nThis is a companion advisory to [GHSA-xp7f-v245-w3w8](https://github.com/advisories/GHSA-xp7f-v245-w3w8) (CVE-2026-38361), a multi-vector denial-of-service suite in the same library reachable through the same endpoint.\n\n### References\n\n* Public PoC: <https://github.com/a1ohadance/CVE-2026-38360>\n* NVD: <https://nvd.nist.gov/vuln/detail/CVE-2026-38360>\n* CVE record: <https://www.cve.org/CVERecord?id=CVE-2026-38360>\n* Upstream issue (archived repo): <https://github.com/fohrloop/dash-uploader/issues/153>",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "dash-uploader",
"purl": "pkg:pypi/dash-uploader"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0.1.0"
},
{
"last_affected": "0.7.0a2"
}
]
}
]
}
],
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/a1ohadance/CVE-2026-38360"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38360"
Expand All @@ -24,11 +50,7 @@
"url": "https://github.com/fohrloop/dash-uploader/issues/153"
},
{
"type": "WEB",
"url": "https://github.com/a1ohadance/CVE-2026-38360"
},
{
"type": "WEB",
"type": "PACKAGE",
"url": "https://github.com/fohrloop/dash-uploader"
},
{
Expand All @@ -42,6 +64,19 @@
{
"type": "WEB",
"url": "https://pypi.org/project/dash-uploader"
},
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-xp7f-v245-w3w8"
}
],
"credits": [
{
"name": "Muhammad Fitri bin Mohd Sultan",
"type": "FINDER",
"contact": [
"https://github.com/a1ohadance"
]
}
],
"database_specific": {
Expand All @@ -53,4 +88,4 @@
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T17:16:30Z"
}
}
}