github · a1ohadance · May 9, 2026 · May 9, 2026
diff --git a/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json b/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json
@@ -6,15 +6,41 @@
   "aliases": [
     "CVE-2026-38361"
   ],
-  "details": "An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components",
+  "summary": "dash-uploader vulnerable to multiple unauthenticated denial-of-service vectors via /API/dash-uploader",
+  "details": "### Impact\n\nThe HTTP request handler in [dash-uploader](https://pypi.org/project/dash-uploader/) versions 0.1.0 through 0.7.0a2 trusts client-supplied form parameters in three ways, each yielding a distinct denial-of-service primitive. All three are reachable unauthenticated through `POST /API/dash-uploader`.\n\n**OOM (uncontrolled resource consumption, CWE-400).** The handler builds a list comprehension over `range(1, flowTotalChunks + 1)` on user-controlled input. With `flowTotalChunks=30000000`, ~30M Python list entries plus path strings allocate ~2.9 GB of resident memory on the worker thread. Trips gunicorn's `--timeout` watchdog (worker SIGKILL by arbiter) within seconds, or the Linux OOM killer under memory pressure.\n\n**TRUNCATE (always-incorrect control flow, CWE-670).** With `flowTotalChunks=0`, the handler computes `all([os.path.exists(p) for p in []])` which evaluates to `True` (the `all([]) == True` quirk). The library enters its \"upload complete, assemble final file\" branch on zero chunks, `os.unlink`s the target file, opens it in append-binary mode, and iterates an empty chunk list — replacing the target file with an empty file. Combined with the path traversal in `upload_id` ([CVE-2026-38360](https://github.com/advisories/GHSA-3rf6-x59v-5jfv)), this truncates arbitrary files writable by the gunicorn UID via a single unauthenticated request.\n\n**EXHAUST (no garbage collection, CWE-400).** Each request with a unique `flowIdentifier` creates a temp directory at `<upload_folder>/<upload_id>/<flowIdentifier>/` and writes the supplied chunk into it. With `flowTotalChunks > 1`, the upload never \"completes\" and the temp directory is never cleaned up. The library has no TTL and no garbage collector, allowing sustained disk-fill at the rate the network and the dash-uploader handler can sustain.\n\n### Affected versions\n\nAll 16 published PyPI releases (`0.1.0` through `0.7.0a2`) are affected. The package repository was archived on 2025-07-19; **no patched version exists**.\n\n### Mitigation\n\nReplace `dash-uploader` with an alternative file-upload component. There is no upstream fix path.\n\nInterim mitigations:\n\n* Block `POST /API/dash-uploader` at an upstream proxy, OR\n* Enforce request-body and `flowTotalChunks` ceilings in front of the application (e.g. nginx `client_max_body_size` plus a Lua/CEL rule rejecting `flowTotalChunks` outside `[1, 1000]`), OR\n* Configure the upload directory on a quota-enforced separate filesystem so EXHAUST cannot fill the application's main disk.\n\nThis is a companion advisory to [GHSA-3rf6-x59v-5jfv](https://github.com/advisories/GHSA-3rf6-x59v-5jfv) (CVE-2026-38360), an unauthenticated path-traversal-to-RCE in the same library reachable through the same endpoint.\n\n### References\n\n* Public PoC: <https://github.com/a1ohadance/CVE-2026-38361>\n* NVD: <https://nvd.nist.gov/vuln/detail/CVE-2026-38361>\n* CVE record: <https://www.cve.org/CVERecord?id=CVE-2026-38361>\n* Upstream issue (archived repo): <https://github.com/fohrloop/dash-uploader/issues/153>",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "dash-uploader",
+        "purl": "pkg:pypi/dash-uploader"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.1.0"
+            },
+            {
+              "last_affected": "0.7.0a2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://github.com/a1ohadance/CVE-2026-38361"
+    },
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38361"
@@ -28,11 +54,7 @@
       "url": "https://docs.python.org/3/library/functions.html#all"
     },
     {
-      "type": "WEB",
-      "url": "https://github.com/a1ohadance/CVE-2026-38361"
-    },
-    {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/fohrloop/dash-uploader"
     },
     {
@@ -54,6 +76,19 @@
     {
       "type": "WEB",
       "url": "https://pypistats.org/packages/dash-uploader"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/advisories/GHSA-3rf6-x59v-5jfv"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Muhammad Fitri bin Mohd Sultan",
+      "type": "FINDER",
+      "contact": [
+        "https://github.com/a1ohadance"
+      ]
     }
   ],
   "database_specific": {
@@ -65,4 +100,4 @@
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T15:16:37Z"
   }
-}
+}