apostrophe icon indicating copy to clipboard operation
apostrophe copied to clipboard
verified publisher icon apostrophecms

connect-multiparty vulnerability and deprecation

Open andreasknoepfle opened this issue 6 months ago • 3 comments

Hi 👋

one of the direct dependencies connect-multiparty seems to be no longer actively maintained.

Image

There is also already a vulnerability about it being reported: https://github.com/advisories/GHSA-w2xw-44r3-4v9g

Are there any plans to move away from this?

Thank you in advance.

Cheers Andi

andreasknoepfle avatar Jun 12 '25 07:06 andreasknoepfle

Hi Andi,

This vulnerability is marked as "disputed:"

https://nvd.nist.gov/vuln/detail/CVE-2022-29623

There are very good reasons it is disputed. The "vulnerability" is that the middleware lets you upload files. Well yes, that is its purpose! The vulnerability states that "an arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file," but never goes on to say they are talking about what would happen if an end user downloaded a malicious PDF file to their computer after it was uploaded by an authorized editor of the website. There is no vulnerability to the server, and it is not the middleware's job to decide if individual files are malicious or not, as long as it defends against server-side code injection attacks, which it does.

So... this CVE is not of high quality.

However, since the module is no longer actively maintained we will look at alternatives to clear the vulnerability report in the near future.

boutell avatar Jun 12 '25 11:06 boutell

(Note that we use the middleware only in routes that are specifically designed for accepting files, and we have access controls on those routes.)

boutell avatar Jun 12 '25 11:06 boutell

Thanks a lot for the clarification. 💚

andreasknoepfle avatar Jun 12 '25 15:06 andreasknoepfle

Shall we go with multer as alternative https://github.com/expressjs/multer?

gingeekrishna avatar Jul 24 '25 17:07 gingeekrishna

multer is under consideration internally, yes. Just need to make sure there are no changes in behavior with it.

boutell avatar Jul 24 '25 17:07 boutell

@boutell Sure, shall i go and update it?

gingeekrishna avatar Jul 24 '25 17:07 gingeekrishna

We will likely pursue this in the next 2-4 weeks, but if you have time to go after it this week... by all means do! Don't forget that the functionality must be tested. That means successfully uploading images to an apostrophe site's media library, and also successfully uploading a CSV file to a rich text widget, and verifying the change was made in both cases.

Are you up for giving that a try?

boutell avatar Jul 24 '25 18:07 boutell

Got you and I agree for the testing, Since we are changing the exsiting package we have test this.

let me try and give you the PR

gingeekrishna avatar Jul 25 '25 13:07 gingeekrishna

@boutell find the above PR please check and let me know.

gingeekrishna avatar Jul 26 '25 17:07 gingeekrishna

Thanks again!

boutell avatar Jul 30 '25 19:07 boutell