GHSA-2rm3-333w-xvc4MediumCVSS 5.3Disclosed before NVD

DotVVM: Unrestricted file upload

Published
June 19, 2026
Last Modified
June 19, 2026

📋 Description

Impact

All users of DotVVM with configured file upload storage are affected.

DotVVM allows anyone to upload files to the application, potentially causing denial of service by filling the disk.

Patches

Since version 4.3.15, 4.2.11 and 5.0.0-preview09, DotVVM requires all file upload request to have a cryptographic token, which is automatically generated by the FileUpload component. This means that users without access to any page with the FileUpload component cannot upload any files.

The patch also add the DotvvmConfiguration.Security.AuthorizeFileUpload option which allow you to further restrict which users can upload files.

Workarounds

As a workaround, you can temporarily disable file upload by removing AddUploadedFileStorage or AddDefaultTempStorage from your DotVVM configuration.

Even with the patch, we recommend configuring file upload to use a dedicated partition with limited size.

References

  • DotVVM file upload configuration: https://www.dotvvm.com/docs/4.0/pages/concepts/upload-and-download-files/upload-files

🎯 Affected products3

  • nuget/DotVVM:< 4.2.11
  • nuget/DotVVM:> 4.3.0-preview01-final, < 4.3.15
  • nuget/DotVVM:>= 5.0.0-preview01-final, < 5.0.0-preview09-final

🔗 References (2)