GHSA-G9F6-9775-HFFM

Vulnerability from github – Published: 2026-03-18 20:21 – Updated: 2026-03-25 18:15
VLAI?
Summary
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
Details

Summary

The storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.

Affected Component

  • Service: services/storage
  • File: services/storage/controller/upload_files.go
  • Function: getMultipartFile (lines 48-70)

Root Cause

In getMultipartFile, if the client provides a non-empty Content-Type header that isn't application/octet-stream, the function returns it as-is without performing content-based detection:

contentType := file.header.Header.Get("Content-Type")
if contentType != "" && contentType != "application/octet-stream" {
    return fileContent, contentType, nil // skip detection entirely
}

// mimetype.DetectReader only reached if client sends no Content-Type
// or sends application/octet-stream
mt, err := mimetype.DetectReader(fileContent)

Impact

Incorrect MIME type in file metadata. The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type.

Suggested Fix

Always detect MIME type from file content using mimetype.DetectReader, ignoring the client-provided Content-Type header entirely.

Severity ?
2.1 (Low)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nhost/nhost"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260318074820-c4bd53f042d7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-343",
      "CWE-345",
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:21:37Z",
    "nvd_published_at": "2026-03-20T23:16:46Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nThe storage service\u0027s file upload handler trusts the client-provided `Content-Type` header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.\n\n## Affected Component\n\n- **Service**: `services/storage`\n- **File**: `services/storage/controller/upload_files.go`\n- **Function**: `getMultipartFile` (lines 48-70)\n\n## Root Cause\n\nIn `getMultipartFile`, if the client provides a non-empty `Content-Type` header that isn\u0027t `application/octet-stream`, the function returns it as-is without performing content-based detection:\n\n```go\ncontentType := file.header.Header.Get(\"Content-Type\")\nif contentType != \"\" \u0026\u0026 contentType != \"application/octet-stream\" {\n    return fileContent, contentType, nil // skip detection entirely\n}\n\n// mimetype.DetectReader only reached if client sends no Content-Type\n// or sends application/octet-stream\nmt, err := mimetype.DetectReader(fileContent)\n```\n\n## Impact\n\n**Incorrect MIME type in file metadata.** The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type.\n\n## Suggested Fix\n\nAlways detect MIME type from file content using `mimetype.DetectReader`, ignoring the client-provided `Content-Type` header entirely.",
  "id": "GHSA-g9f6-9775-hffm",
  "modified": "2026-03-25T18:15:09Z",
  "published": "2026-03-18T20:21:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33221"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/pull/4018"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nhost/nhost"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/releases/tag/storage@0.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.