GHSA-gxxh-8vcj-w2mh: livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler
All versions of mckenziearts/livewire-markdown-editor prior to v1.3 contain a critical arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments() Livewire handler. The handler calls $file->store() with no server-side validation of MIME type, extension, or file content.
Any authenticated user with access to a page embedding <livewire:markdown-editor> can upload files of any type (.html, .svg, .js, .php, .exe, etc.) to the disk configured by livewire-markdown-editor.disk. When that disk is a public cloud bucket (S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage — the common configuration when FILESYSTEM_DISK points to such a disk), uploaded files are served publicly with a guessed Content-Type header.
The consequences include:
- Stored XSS on the storage domain via uploaded
.htmlor.svgfiles - Phishing page hosting on the application’s own storage domain (trust laundering)
- Malware distribution from a domain users associate with the application
- Markdown injection in the editor output via crafted filenames (the client-supplied
getClientOriginalName()value was inserted verbatim into the markdown)
A real-world exploitation of this vulnerability was observed in production on a community platform using this package.
References
- github.com/advisories/GHSA-gxxh-8vcj-w2mh
- github.com/mckenziearts/livewire-markdown-editor
- github.com/mckenziearts/livewire-markdown-editor/commit/1e60eaa5781e89704e112425f832774be85cd71f
- github.com/mckenziearts/livewire-markdown-editor/releases/tag/v1.3
- github.com/mckenziearts/livewire-markdown-editor/security/advisories/GHSA-gxxh-8vcj-w2mh
Code Behaviors & Features
Detect and mitigate GHSA-gxxh-8vcj-w2mh with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →