Vulnerability	Vulnerable Version
M Arbitrary File Upload @strapi/upload is a Makes it easy to upload images and files to your Strapi Application. Affected versions of this package are vulnerable to Arbitrary File Upload via the Content API `uploadFiles` and `replaceFile` handlers, which bypass administrator-configured MIME type restrictions. An attacker can upload files with disallowed types, such as HTML or SVG, by exploiting insufficient enforcement of security checks. This can lead to the execution of malicious scripts in the admin origin if an administrator opens the uploaded file, potentially resulting in session hijacking and unauthorized administrative actions. How to fix Arbitrary File Upload? Upgrade `@strapi/upload` to version 5.33.3 or higher.	<5.33.3

Arbitrary File Upload

@strapi/upload is a Makes it easy to upload images and files to your Strapi Application.

Affected versions of this package are vulnerable to Arbitrary File Upload via the Content API uploadFiles and replaceFile handlers, which bypass administrator-configured MIME type restrictions. An attacker can upload files with disallowed types, such as HTML or SVG, by exploiting insufficient enforcement of security checks. This can lead to the execution of malicious scripts in the admin origin if an administrator opens the uploaded file, potentially resulting in session hijacking and unauthorized administrative actions.

How to fix Arbitrary File Upload?

Upgrade @strapi/upload to version 5.33.3 or higher.

<5.33.3

Go back to all versions of this package