CVE-2026-33329 Overview
CVE-2026-33329 is a path traversal vulnerability affecting FileRise, a self-hosted web file manager and WebDAV server. The vulnerability exists in the resumableIdentifier parameter within the Resumable.js chunked upload handler (UploadModel::handleUpload()), where user-controlled input is concatenated directly into filesystem paths without proper sanitization. An authenticated attacker with upload permissions can exploit this flaw to write files to arbitrary directories on the server, delete arbitrary directories via post-assembly cleanup operations, and probe the existence of files and directories.
Critical Impact
Authenticated attackers can achieve arbitrary file write and directory deletion capabilities, potentially leading to complete server compromise, data destruction, or code execution through webshell uploads.
Affected Products
- FileRise versions 1.0.1 through 3.9.x
- Self-hosted FileRise WebDAV server deployments
- Systems running vulnerable FileRise file manager instances
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33329 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33329
Vulnerability Analysis
The vulnerability stems from improper handling of the resumableIdentifier parameter in FileRise's chunked file upload functionality. When processing multi-part uploads through the Resumable.js library, the application takes the identifier value and directly incorporates it into filesystem path construction without validating or sanitizing the input. This allows attackers to inject path traversal sequences (such as ../) to escape the intended upload directory structure.
The impact is threefold: First, attackers can write arbitrary files to any location on the filesystem where the web server has write permissions. Second, the post-assembly cleanup routine can be abused to delete arbitrary directories. Third, error responses during exploitation can reveal information about the existence of files and directories on the system, enabling reconnaissance activities.
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal.
Root Cause
The root cause is missing input validation and sanitization in the UploadModel::handleUpload() function. The resumableIdentifier parameter is trusted as safe input and concatenated directly into filesystem paths used for storing upload chunks and assembling final files. No checks are performed to detect or remove path traversal sequences, special characters, or null bytes that could manipulate the intended file path.
Attack Vector
The attack requires network access and valid authentication credentials with upload permissions. An attacker crafts a malicious chunked upload request with a specially crafted resumableIdentifier value containing path traversal sequences. When the server processes this request, the malicious identifier causes file operations to occur outside the intended upload directory.
For example, an attacker could upload a PHP webshell to a web-accessible directory, overwrite critical configuration files, or delete important system directories. The attack is particularly dangerous in environments where FileRise runs with elevated filesystem permissions.
The vulnerability mechanism involves the following pattern: The attacker sends a POST request to the chunked upload endpoint with a resumableIdentifier value such as ../../../var/www/html/shell. The server concatenates this value into the upload path, resulting in files being written to /var/www/html/shell instead of the intended upload directory. Technical details are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-33329
Indicators of Compromise
- Unexpected files appearing in web-accessible directories outside normal upload paths
- Missing or deleted directories that should exist on the server
- Upload request logs containing resumableIdentifier values with ../ sequences or encoded path traversal patterns
- Webshell files or suspicious PHP/executable files in public directories
Detection Strategies
- Monitor HTTP request logs for upload endpoints containing path traversal patterns in the resumableIdentifier parameter
- Implement file integrity monitoring (FIM) on critical directories to detect unauthorized file writes
- Review web server access logs for anomalous POST requests to /upload or similar chunked upload endpoints
- Deploy web application firewalls (WAF) with rules to detect and block path traversal sequences in request parameters
Monitoring Recommendations
- Enable detailed logging for the FileRise application and monitor for path-related errors or exceptions
- Set up alerts for file creation events in directories outside designated upload locations
- Regularly audit user accounts with upload permissions and review their activity logs
- Monitor for unusual directory deletion events in system logs
How to Mitigate CVE-2026-33329
Immediate Actions Required
- Upgrade FileRise to version 3.10.0 or later immediately
- Review server filesystem for any unauthorized files that may have been written during the vulnerable period
- Audit user accounts with upload permissions and revoke access from any suspicious accounts
- Implement network-level access controls to limit exposure of the FileRise instance
Patch Information
FileRise version 3.10.0 addresses this vulnerability by implementing proper input sanitization for the resumableIdentifier parameter. The fix is available in GitHub Release v3.10.0. The specific commit addressing this vulnerability can be reviewed at the GitHub Commit Record.
Organizations should prioritize this update given the potential for arbitrary file write and directory deletion attacks. The security advisory details are available at GitHub Security Advisory GHSA-c2jm-4wp9-5vrh.
Workarounds
- Restrict upload permissions to only trusted users while waiting for the patch to be applied
- Place the FileRise instance behind a reverse proxy with WAF rules blocking path traversal patterns
- Run FileRise with minimal filesystem permissions to limit the impact of exploitation
- Temporarily disable chunked/resumable upload functionality if possible until the patch is applied
# Configuration example - Restrict FileRise directory permissions
# Set strict ownership and permissions on the FileRise data directory
chown -R www-data:www-data /var/www/filerise/uploads
chmod -R 750 /var/www/filerise/uploads
# Remove write permissions from web-accessible directories
chmod -R o-w /var/www/html
# Example nginx WAF rule to block path traversal in upload requests
# Add to nginx server block configuration
location /upload {
if ($request_uri ~* "\.\.") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
