<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:jugmac00:flask-Reuploaded:*:*:*:*:*:python:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3ajugmac00flask-reuploadedpython/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 20:12:56 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3ajugmac00flask-reuploadedpython/feed.xml" rel="self" type="application/rss+xml"/><item><title>Flask-Reuploaded Extension Denylist Bypass via Case-Folding Asymmetry</title><link>https://feed.craftedsignal.io/briefs/2026-07-flask-reuploaded-case-folding-bypass/</link><pubDate>Fri, 17 Jul 2026 20:12:56 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-flask-reuploaded-case-folding-bypass/</guid><description>An incomplete fix for CVE-2026-27641 in Flask-Reuploaded versions up to and including 1.5.0 allows attackers to bypass extension denylists through case-folding asymmetry, enabling the upload of malicious files with dangerous extensions (e.g., shell.PHP) that can lead to remote code execution on case-insensitive execution environments.</description><content:encoded><![CDATA[<p>A critical vulnerability exists in the Flask-Reuploaded library, affecting all versions up to and including 1.5.0, stemming from an incomplete fix for CVE-2026-27641. This flaw allows attackers to bypass documented extension denylist mechanisms, specifically when a <code>name</code> override is provided to the <code>UploadSet.save()</code> function. The core issue lies in a case-folding asymmetry: the re-validation logic for the <code>name</code> override uses a case-preserving extension extractor, whereas the security policy's denied tokens are typically lowercase. This discrepancy enables attackers to upload files with mixed-case dangerous extensions, such as <code>shell.PHP</code> or <code>evil.pHp</code>, which would normally be blocked. If the application is deployed on a system with case-insensitive file resolution and execution, such as Windows or macOS filesystems, or specific web server configurations (e.g., Apache with <code>AddHandler</code>/<code>AddType</code>), successful exploitation leads to remote code execution under the web server's privileges, re-enabling the impact that the original CVE-2026-27641 aimed to prevent.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a web application utilizing Flask-Reuploaded and configured with an <code>UploadSet</code> that employs a denylist to prevent specific file types (e.g., scripts).</li>
<li>The attacker crafts a malicious file, such as a PHP web shell, specifically designed for remote code execution, (e.g., <code>shell.PHP</code>).</li>
<li>The attacker sends an authenticated HTTP request to the application's file upload endpoint, which uses the vulnerable <code>UploadSet.save()</code> function.</li>
<li>Within this request, the attacker supplies a <code>name</code> override parameter for the uploaded file, specifying the malicious filename with mixed casing (e.g., <code>name=&quot;shell.PHP&quot;</code> or <code>name=&quot;evil.pHp&quot;</code>).</li>
<li>Due to the incomplete fix for CVE-2026-27641, the <code>UploadSet.save()</code> function's re-validation logic fails to normalize the mixed-case extension to lowercase, thus bypassing the configured denylist.</li>
<li>The application saves the malicious file (e.g., <code>shell.PHP</code>) to the configured upload directory on the web server's filesystem.</li>
<li>The attacker then makes a subsequent HTTP request to directly access the uploaded malicious file (e.g., <code>http://example.com/uploads/shell.PHP?c=id</code>).</li>
<li>On a server environment where file extensions are resolved or executed case-insensitively (e.g., Windows/macOS filesystems or specific Apache <code>AddHandler</code>/<code>AddType</code> configurations), the web server executes the PHP web shell, granting the attacker remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this vulnerability bypasses Flask-Reuploaded's documented extension denylist mechanism for scripts and executables. This allows an attacker to upload and store files with dangerous, mixed-case extensions (e.g., <code>.PHP</code>, <code>.pHp</code>) within the application's served upload directory. The primary impact is remote code execution (RCE) under the web server's privileges if the affected application is hosted on a case-insensitive execution surface such as Windows or macOS filesystems, or if the web server (e.g., Apache) is configured to handle extensions case-insensitively. This outcome effectively re-enables the critical code execution risk that the original CVE-2026-27641 aimed to mitigate, potentially compromising the integrity, confidentiality, and availability of the affected web application and underlying server. Any web application using Flask-Reuploaded with a denylist configuration is susceptible.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update Flask-Reuploaded to a version that addresses the case-folding asymmetry in <code>UploadSet.save()</code>. The patch should normalize the extension before the policy check using <code>ext = extension(basename).lower()</code> or <code>extension(lowercase_ext(basename))</code>.</li>
<li>Alternatively, modify your Flask-Reuploaded configuration to make <code>extension_allowed</code> or the policy containers case-insensitive to ensure consistent evaluation of extensions.</li>
<li>Audit your application's file upload logic to ensure that user-supplied filenames are rigorously validated and processed using case-normalized extensions consistently across all security checks.</li>
<li>Deploy the <code>attack.t1190</code> rules in your SIEM to detect attempts to exploit public-facing applications through suspicious file uploads.</li>
<li>Ensure your log sources, particularly <code>webserver</code> logs, capture full HTTP request details, including method, URI stem, and query parameters, to aid in investigating <code>attack.t1190</code> activity.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>file-upload</category><category>rce</category><category>python</category><category>flask</category><category>incomplete-fix</category></item></channel></rss>