NocoDB: Stored Cross-Site Scripting via Secure Attachment
🔗 CVE IDs covered (1)
📋 Description
Summary
With NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or
.svg attachments that the browser rendered inline from the NocoDB origin instead of
forcing a download.
Details
The signed attachment handler stored response-header overrides under PascalCase keys
(ResponseContentDisposition, ResponseContentType) while the controller that served
the file read them under lowercase-hyphen names (response-content-disposition). The
mismatch dropped the Content-Disposition: attachment header, leaving Express to
auto-render .html, .svg, and similar inline. The fix corrects the key case and
additionally forces Content-Disposition: attachment and
Content-Type: application/octet-stream for any MIME type not on the preview
allowlist.
Impact
Stored Cross-Site Scripting in the NocoDB origin from inline-rendered uploads. Script
executing in the victim's browser can read the auth JWT from localStorage.
Exploitation requires authenticated upload permission and the secure-attachment mode
to be enabled.
Credit
This issue was reported by @bugbunny-research. It was independently reported by @DavidCarliez.
🎯 Affected products1
- npm/nocodb:<= 0.301.3