CVE-2022-4111: Unrestricted File Size Limit Leading to DoS in ToolJet/ToolJet v1.27 and Prior Versions

A recently discovered vulnerability, tracked as CVE-2022-4111, has been identified in the ToolJet/ToolJet web application development platform. The vulnerability allows a logged-in attacker to upload profile pictures with sizes of over 2 MB, leading to a potential Denial-of-Service (DoS) attack. This vulnerability affects versions of ToolJet prior to v1.27. In this detailed post, we will discuss the specifics of the exploit, including the affected code, as well as the original references that were used to identify the issue.

Affected Code

The vulnerability exists within the code responsible for handling profile picture uploads. In affected versions of ToolJet, there is no proper check on the size of the uploaded file, allowing an attacker to upload large files and consume server resources, leading to a DoS attack. To illustrate the issue, let's take a look at the following code snippet:

router.post('/upload_profile_picture', async (req, res) => {
  ...
  const { file } = req.files;
  ...
  // No proper check for file size
  ...
  // Save the file to the server
  const path = ${__dirname}/profile_pictures/${req.user.id}.jpg;
  file.mv(path, (err) => {
    if (err) {
      return res.status(500).send(err);
    }
    res.json({ file: profile_pictures/${req.user.id}.jpg });
  });
});

In the above code snippet, there is no validation step to ensure that the uploaded file doesn't exceed the size limit, making it possible for attackers to upload oversized files.

This vulnerability was initially reported by the following sources

1. GitHub Issue: Unrestricted File Upload Vulnerability #CVE-2022-4111
2. NVD - CVE-2022-4111

Exploit Details

To exploit this vulnerability, an attacker who is logged in to the ToolJet application can use the profile picture upload functionality to upload a file larger than 2MB. This could potentially lead to a DoS attack, since the affected system may exhaust system resources, such as memory and disk space, trying to process such files.

Mitigation

The developers of ToolJet have addressed this vulnerability in version 1.27. If you are using a version of ToolJet earlier than 1.27, it is highly recommended that you update to the latest version as soon as possible to mitigate the risk of exploitation.

To prevent this issue from occurring, you can implement proper file size validation when handling file uploads. For example, you can modify the affected code to include a file size check like this:

router.post('/upload_profile_picture', async (req, res) => {
  ...
  const { file } = req.files;
  const MAX_FILE_SIZE = 2 * 1024 * 1024; // 2 MB
  ...
  // Check for file size
  if (file.size > MAX_FILE_SIZE) {
    return res.status(400).json({ error: 'File size exceeds the allowed limit.' });
  }
  ...
  // Save the file to the server
  const path = ${__dirname}/profile_pictures/${req.user.id}.jpg;
  file.mv(path, (err) => {
    if (err) {
      return res.status(500).send(err);
    }
    res.json({ file: profile_pictures/${req.user.id}.jpg });
  });
});

By adding a proper file size check, you can limit the size of uploaded files and reduce the risk of a DoS attack.

Conclusion

CVE-2022-4111 is a critical vulnerability in ToolJet that can lead to a DoS attack by allowing unrestricted file size uploads when updating profile pictures. By upgrading to the latest version of ToolJet (v1.27 or later) and implementing proper file size validation measures, you can mitigate the risks associated with this exploit. Remember to always keep your software up to date and follow best practices for secure coding to minimize the impact of vulnerabilities like this.

Timeline

Published on: 11/22/2022 03:15:00 UTC
Last modified on: 11/26/2022 03:28:00 UTC