Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the…
GitHub_M·CWE-343·Published 2026-03-18
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload in github.com/nhost/nhost
## Summary The storage service's file upload handler trusts the client-provided `Content-Type` header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. ## Affected Component - **Service**: `services/storage` - **File**: `services/storage/controller/upload_files.go` - **Function**: `getMultipartFile` (lines 48-70) ## Root Cause In `getMultipartFile`, if the client provides a non-empty `Content-Type` header that isn't `application/octet-stream`, the function returns it as-is without performing content-based detection: ```go contentType := file.header.Header.Get("Content-Type") if contentType != "" && contentType != "application/octet-stream" { return fileContent, contentType, nil // skip detection entirely } // mimetype.DetectReader only reached if client sends no Content-Type // or sends application/octet-stream mt, err := mimetype.DetectReader(fileContent) ``` ## Impact **Incorrect MIME type in file metadata.** The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type. ## Suggested Fix Always detect MIME type from file content using `mimetype.DetectReader`, ignoring the client-provided `Content-Type` header entirely.
Nhost es una alternativa de código abierto a Firebase con GraphQL. Antes de la versión 0.12.0, el gestor de carga de archivos del servicio de almacenamiento confía en el encabezado Content-Type proporcionado por el cliente sin realizar detección de tipo MIME en el servidor. Esto permite a un atacante subir archivos con un tipo MIME arbitrario, eludiendo cualquier restricción basada en el tipo MIME configurada en los buckets de almacenamiento. Este problema ha sido parcheado en la versión 0.12.0.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 5.3 | 3.9 | 1.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | Secondary | GHSA | 5.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 4.0 | Primary | cve.org | 2.1 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| 4.0 | Primary | cve.org | 2.1 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| 4.0 | Secondary | NVD | 2.1 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| 4.0 | Secondary | GHSA | 2.1 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |