Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.
Published: 2026-03-19
Score: 5.3 Medium
EPSS: 1.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TUS upload handler parses the Upload‑Length header as a signed 64‑bit integer without ensuring it is non‑negative, a flaw that falls under the category of integer over/underflow weaknesses (CWE‑190). An authenticated user can supply a negative value in a PATCH request, causing the server to consider the upload complete instantly. This triggers any configured post‑upload execution hooks with empty or partial files, allowing the attacker to repeatedly fire hooks under arbitrary filenames and zero written bytes. The lack of validation also leads to inconsistent cache entries where files appear complete but contain no data, potentially disrupting workflows that rely on upload status. Exploitation requires that the instance’s enableExec feature be turned on, which is disabled by default for all installations from v2.33.8 onward, and the attacker must ignore warnings about the vulnerability. If enabled, the negative Upload‑Length can amplify attacks such as command injection via malicious filenames or abuse of workflows like S3 ingestion or database inserts.

Affected Systems

All deployments of File Browser that expose the TUS upload endpoint (/api/tus) are affected. The vulnerability applies to the filebrowser:filebrowser product in the 2.x branch prior to version 2.33.8. Instances that enable the enableExec feature for custom hooks face higher risk, while those that do not may still suffer cache inconsistencies and potential denial of service.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity potential, while the EPSS score is 2%, suggesting low current exploit probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access; an attacker who can authenticate to the File Browser API can craft the negative Upload‑Length header to trigger hooks or corrupt the file cache. If the enableExec flag is used, the risk escalates from a service disruption to remote command execution or even broader data tampering, depending on what the hooks are configured to perform.

Generated by OpenCVE AI on June 18, 2026 at 10:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed version of File Browser or apply the official patch when released.
  • Disable the enableExec feature or the execution hooks if they are not essential for your operations.
  • Add validation checks in your hook implementations to reject malicious or malformed filenames before executing commands.
  • Monitor upload logs for anomalous PATCH requests that contain negative or missing Upload‑Length headers and investigate suspicious activity.

Generated by OpenCVE AI on June 18, 2026 at 10:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ffx7-75gc-jg7c File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely
History

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue. File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.

Mon, 23 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Fri, 20 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.
Title File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T11:51:17.136Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32759

cve-icon Vulnrichment

Updated: 2026-03-20T16:48:00.247Z

cve-icon NVD

Status : Modified

Published: 2026-03-20T00:16:17.270

Modified: 2026-06-17T10:36:20.253

Link: CVE-2026-32759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:15:03Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound