CVE-2026-33645 Overview
CVE-2026-33645 is an authenticated path traversal vulnerability discovered in Fireshare, a self-hosted media and link sharing application. The flaw exists in Fireshare's chunked upload endpoint where the checkSum multipart field is used directly in filesystem path construction without proper sanitization or containment checks. This vulnerability allows authenticated attackers to write arbitrary files outside the intended upload directory to any path writable by the Fireshare process.
Critical Impact
Authenticated attackers can write arbitrary files to attacker-controlled paths, violating system integrity and potentially enabling follow-on attacks such as remote code execution depending on deployment configuration.
Affected Products
- Fireshare version 1.5.1
- Fireshare versions prior to 1.5.2
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33645 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33645
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from improper input validation in the chunked upload functionality of Fireshare. The application fails to sanitize user-supplied input from the checkSum multipart field before incorporating it into filesystem paths. An authenticated user can exploit this flaw to escape the intended upload directory and write files to arbitrary locations accessible by the Fireshare process.
The vulnerability requires authentication to exploit but does not require elevated privileges beyond a standard user account. When successfully exploited in containerized deployments, attackers can write to locations such as /tmp or other writable directories, potentially overwriting configuration files, planting malicious scripts, or staging additional attack payloads.
Root Cause
The root cause of this vulnerability is the direct use of the checkSum multipart field in filesystem path construction without implementing proper path canonicalization, sanitization, or directory containment checks. The application trusts user-supplied input for path operations, allowing directory traversal sequences (such as ../) to escape the intended upload boundary.
Attack Vector
The attack is conducted over the network and requires the attacker to have valid authentication credentials for the Fireshare application. Once authenticated, the attacker crafts a malicious chunked upload request with a specially crafted checkSum value containing path traversal sequences. The server processes this request and writes the uploaded content to the attacker-specified location rather than the intended upload directory.
The specific attack flow involves:
- Authenticating to the Fireshare application with valid credentials
- Initiating a chunked file upload to the vulnerable endpoint
- Including directory traversal sequences in the checkSum multipart field
- The server constructs the file path using the unsanitized checkSum value
- The uploaded file content is written to the attacker-controlled destination path
The impact primarily affects integrity by allowing unauthorized file writes. Depending on the deployment environment and permissions, this could lead to configuration manipulation, web shell deployment, or other follow-on attacks.
Detection Methods for CVE-2026-33645
Indicators of Compromise
- Unexpected file creation or modification in directories outside the Fireshare upload folder
- HTTP requests to chunked upload endpoints containing path traversal sequences (../, ..%2f, ..%252f)
- Anomalous files appearing in container directories such as /tmp or application configuration directories
- Web server logs showing multipart upload requests with suspicious checkSum parameter values
Detection Strategies
- Monitor file system activity for writes originating from the Fireshare process to locations outside designated upload directories
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in multipart form fields
- Review application logs for chunked upload requests with unusually long or suspicious checkSum values
- Deploy file integrity monitoring on critical system directories and configuration files
Monitoring Recommendations
- Enable detailed logging for all file upload operations in Fireshare
- Configure alerts for file creation events in sensitive directories triggered by the Fireshare process
- Implement network-based detection for HTTP requests containing encoded or plain-text path traversal sequences
- Regularly audit file system permissions to ensure the Fireshare process has minimal write access
How to Mitigate CVE-2026-33645
Immediate Actions Required
- Upgrade Fireshare to version 1.5.2 or later immediately
- Audit file systems for any unauthorized files that may have been written via this vulnerability
- Review access logs to identify any potential exploitation attempts
- Restrict file system permissions for the Fireshare process to minimize writable directories
Patch Information
The vulnerability is fixed in Fireshare version 1.5.2. Users should upgrade to this version or later to remediate the vulnerability. The patch implements proper input validation and path containment checks for the checkSum field in the chunked upload endpoint.
For detailed patch information, refer to the GitHub Fireshare Release v1.5.2 and the GitHub Security Advisory GHSA-7q8r-vpq3-89m7.
Workarounds
- If immediate patching is not possible, consider restricting network access to the Fireshare application to trusted users only
- Deploy the application in a containerized environment with read-only file systems where possible
- Implement a reverse proxy or WAF rule to filter requests containing path traversal patterns in multipart fields
- Limit the Fireshare process permissions to reduce the impact of unauthorized file writes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
