{“lastseen”:”2026-05-08T18:01:00″,”description”:”There is an unauthenticated path traversal in dash-uploader versions 0.1.0 through 0.7.0a2 allowing arbitrary file write, leading to but not limited to remote code execution, application source code overwrite, stored cross site scripting, and…”,”published”:”2026-05-08T00:00:00″,”modified”:”2026-05-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Dash-Uploader 0.7.0a2 Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:220639″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-38360″,”CVE-2026-38361″],”sourceData”:”# CVE-2026-38360: Path Traversal in dash-uploader\\n \\n [](https:\/\/www.cve.org\/CVERecord?id=CVE-2026-38360)\\n [](https:\/\/cwe.mitre.org\/data\/definitions\/22.html)\\n [](#)\\n [](#mitigation)\\n [](#attack-vectors)\\n [](https:\/\/pypi.org\/project\/dash-uploader\/)\\n [](https:\/\/pepy.tech\/project\/dash-uploader)\\n [](https:\/\/pepy.tech\/project\/dash-uploader)\\n [](https:\/\/pypi.org\/project\/dash-uploader\/)\\n \\n Unauthenticated path traversal in [`fohrloop\/dash-uploader`](https:\/\/github.com\/fohrloop\/dash-uploader) (Python, PyPI) allowing arbitrary file write, leading to (but not limited to) **Remote Code Execution (RCE)**, application source code overwrite, stored XSS, and persistent backdoor installation.\\n \\n ### \u26a0\ufe0f No patch is available, and none will ever be released\\n \\n The repository was [archived on 2025-07-19](https:\/\/github.com\/fohrloop\/dash-uploader\/issues\/153) with no active maintainer. Every published version (`0.1.0` through `0.7.0a2`) is affected and will remain so. The package still pulls roughly 28,000 monthly downloads.\\n \\n Anyone running `dash-uploader` in production must apply a mitigation themselves. The recommended fix is to migrate to Plotly Dash’s built-in `dcc.Upload` component. See [Mitigation](#mitigation) for full options.\\n \\n | | |\\n |—|—|\\n | **CVE ID** | CVE-2026-38360 |\\n | **Vulnerability** | Path Traversal (CWE-22) |\\n | **CVSS 3.1** | 9.8 \/ Critical (`AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H`) |\\n | **Product** | dash-uploader |\\n | **Affected versions** | `0.1.0` through `0.7.0a2` (all 18 releases) |\\n | **Fixed version** | none (project archived 2025-07-19) |\\n | **Attack vector** | Remote, unauthenticated |\\n | **Discoverer** | Muhammad Fitri Bin Mohd Sultan |\\n | **Assigned by** | MITRE, 2026-05-07 |\\n | **Related** | [CVE-2026-38361](https:\/\/github.com\/a1ohadance\/CVE-2026-38361) (DoS in same library) |\\n \\n ## Description\\n \\n Three user-controlled parameters from `request.form.get()` in `dash_uploader\/httprequesthandler.py` are passed directly to `os.path.join()` and `os.makedirs()` without any sanitization or validation:\\n \\n 1. **`upload_id`** (line 57 \u2192 line 161, `BaseHttpRequestHandler.get_temp_root`): controls the destination directory. An attacker can send `upload_id=..\/..\/..\/..\/usr\/local\/lib\/python3.10\/site-packages` and files are written to Python’s package directory.\\n \\n 2. **`resumableFilename`** (line 51 \u2192 line 108, `BaseHttpRequestHandler._post`): controls the final filename. An attacker can traverse out of the upload directory via the filename even with a legitimate `upload_id`.\\n \\n 3. **`resumableIdentifier`** (line 54 \u2192 line 64, `BaseHttpRequestHandler._post`): used with `os.makedirs()` to create the temp directory. An attacker can create arbitrary directories anywhere on the filesystem.\\n \\n The upload endpoint (`\/API\/dash-uploader` by default) requires no authentication. The `http_request_handler` hook added in `v0.5.0` allows pre-request checks via `post_before()`, but the vulnerable `_post()` method reads all parameters directly from `request.form` after the hook returns. The hook cannot sanitize parameters before the library processes them. A developer who adds authentication via the hook is still vulnerable to path traversal from an authenticated user.\\n \\n ## Vulnerable code\\n \\n “`python\\n # dash_uploader\/httprequesthandler.py\\n def _post(self):\\n resumableFilename = request.form.get(\\”resumableFilename\\”, default=\\”error\\”, type=str)\\n resumableIdentifier = request.form.get(\\”resumableIdentifier\\”, default=\\”error\\”, type=str)\\n upload_id = request.form.get(\\”upload_id\\”, default=\\”\\”, type=str)\\n …\\n temp_root = self.get_temp_root(upload_id) # upload_id flows in here\\n temp_dir = os.path.join(temp_root, resumableIdentifier) # raw user input -\\u003e os.path.join\\n if not os.path.isdir(temp_dir):\\n os.makedirs(temp_dir) # raw user input -\\u003e os.makedirs\\n \\n def get_temp_root(self, upload_id):\\n return os.path.join(self.upload_folder, upload_id) # no sanitization: ..\/..\/ escapes upload_folder\\n “`\\n \\n Three independent traversal sinks share the same root cause: form values reach `os.path.join` and `os.makedirs` with no validation.\\n \\n ## Attack vectors\\n \\n An unauthenticated remote attacker sends an HTTP POST multipart request to the upload endpoint. By injecting path traversal sequences (`..\/`) into the `upload_id` form parameter, the attacker controls the destination directory for the uploaded file. For example, `upload_id=..\/..\/..\/..\/usr\/local\/lib\/python3.10\/site-packages` writes files to Python’s package directory, enabling RCE on the next interpreter startup via `.pth` auto-execution.\\n \\n No authentication, session token, or CSRF token is required. Two additional parameters (`resumableFilename` and `resumableIdentifier`) provide independent traversal vectors through the same endpoint. The default library configuration as shown in the official quickstart documentation is exploitable with a single `curl` command.\\n \\n ## Impact\\n \\n Arbitrary file write to any directory writable by the server process. This translates to **Remote Code Execution (RCE)** through several well-known primitives:\\n \\n **RCE primitives**\\n \\n – Python `.pth` file dropped into `site-packages`. Executes attacker-supplied code on the next interpreter startup.\\n – `sitecustomize.py` or `usercustomize.py` injection. Executes on every Python startup.\\n – Overwriting an importable Python module in the application’s package directory. Executes on next import or worker recycle.\\n – Overwriting the WSGI\/ASGI entry point (e.g. `app.wsgi`, `wsgi.py`). Executes on next worker reload.\\n – Cron drop-in (`\/etc\/cron.d\/`, `\/etc\/cron.hourly\/`, user crontab spool) when the process has the necessary privileges. Scheduled execution.\\n – Systemd unit or user-unit drop-in (`\/etc\/systemd\/system\/`, `~\/.config\/systemd\/user\/`). Executes on next service start or reboot.\\n – `\/etc\/ld.so.preload` injection when the process runs as root. Preloads attacker code into every subsequent binary execution.\\n – Shell startup file overwrite (`~\/.bashrc`, `~\/.profile`, `~\/.bash_profile`). Executes on next interactive login of the app user.\\n – `~\/.ssh\/authorized_keys` append. Grants persistent SSH access to the host as the app user.\\n \\n **Web-tier impact**\\n \\n – Stored cross-site scripting on the host domain by overwriting served JavaScript (for example, Dash framework JS in `site-packages`), affecting every user on every page load until the application is restarted\\n – Application source code overwrite (a silent, persistent backdoor that survives normal deploys when the deploy mechanism does not fully overwrite the affected paths)\\n \\n **Filesystem impact**\\n \\n – Arbitrary directory creation anywhere the process can reach, via `os.makedirs()` with the unsanitized `resumableIdentifier` parameter (usable for inode exhaustion or for staging writes into nonexistent directory trees)\\n – Cross-user file replacement in shared upload directories, leading to data poisoning between tenants of the same application\\n \\n ## Affected component\\n \\n – `dash_uploader\/httprequesthandler.py`\\n – `BaseHttpRequestHandler.get_temp_root()`\\n – `BaseHttpRequestHandler._post()`\\n \\n ## Mitigation\\n \\n ### \u26a0\ufe0f No patch is available, and the project is archived\\n \\n Options for currently-deployed users, in order of preference:\\n \\n 1. **Migrate to `dcc.Upload`**, the official upload component shipped with Plotly Dash. Files arrive at the callback as a base64 string; no filesystem-writing handler is exposed and no client-controlled destination path exists, so the bug class here does not apply. Best suited to small and medium files. For very large uploads, see item 2.\\n 2. **Roll a small Flask upload handler** using `werkzeug.utils.secure_filename()` and a hardcoded server-side destination directory. Never accept client-supplied `upload_id`, filename, or identifier values as path components.\\n 3. **If continuing to use dash-uploader**, place the upload endpoint behind authentication AND validate `upload_id`, `resumableFilename`, and `resumableIdentifier` against a strict allowlist (e.g., UUIDs only) at a layer that rewrites or rejects the request before the library handler sees it. The library’s `http_request_handler` hook does NOT prevent the traversal because parameters are read from `request.form` after the hook returns; sanitization must happen above the library.\\n 4. **At the reverse-proxy or WAF layer**, reject any request to the upload endpoint where any form field contains `..`, encoded variants (`%2e%2e`, `..%2f`, `%2e%2e%2f`), or absolute paths.\\n \\n ## Disclosure timeline\\n \\n | Date | Event |\\n |—|—|\\n | 2026-03-17 | Vulnerability discovered during security research on a production deployment. |\\n | 2026-03-19 | CVE request submitted to MITRE. |\\n | 2026-05-07 | CVE-2026-38360 assigned by MITRE. |\\n | 2026-05-07 | Public advisory published. |\\n \\n ## Package context\\n \\n – Approximately 28,000 monthly downloads on PyPI (27,756 in the 30 days preceding 2026-05-07, with sustained daily volume despite repository archival). Source: [pypistats.org](https:\/\/pypistats.org\/packages\/dash-uploader).\\n – Latest published version: `0.6.1` (stable line). Pre-releases extend to `0.7.0a2`.\\n – Required dependency: `dash`. Optional dependency: `pyyaml`. License: MIT.\\n – 11 dependent packages, 6 dependent repositories.\\n – 153 GitHub stars.\\n – Repository archived 2025-07-19 ([Issue #153](https:\/\/github.com\/fohrloop\/dash-uploader\/issues\/153)).\\n – No prior CVEs (verified against NVD, GitHub Advisory Database, Snyk, OSV on 2026-03-19).\\n \\n ## References\\n \\n – https:\/\/github.com\/fohrloop\/dash-uploader\\n – https:\/\/pypi.org\/project\/dash-uploader\/\\n – https:\/\/pypistats.org\/packages\/dash-uploader\\n – https:\/\/github.com\/fohrloop\/dash-uploader\/blob\/stable\/dash_uploader\/httprequesthandler.py\\n – https:\/\/github.com\/fohrloop\/dash-uploader\/blob\/dev\/dash_uploader\/httprequesthandler.py\\n – https:\/\/github.com\/fohrloop\/dash-uploader\/issues\/153\\n – https:\/\/cwe.mitre.org\/data\/definitions\/22.html\\n \\n ## Discoverer\\n \\n Muhammad Fitri Bin Mohd Sultan”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220639″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220639\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-08T18:01:00″,”description”:”There is an unauthenticated path traversal in dash-uploader versions 0.1.0 through 0.7.0a2 allowing arbitrary file write, leading to but not limited to remote code execution,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-52564","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n