Listen to this Post
The vulnerability in the Cloudinary Node SDK arises from improper input sanitization of user-supplied parameters that contain an ampersand (&). In versions prior to 2.7.0, the SDK’s internal parameter parsing logic does not correctly escape or handle these special characters. When an attacker provides a crafted value, such as value&public_id=malicious, the ampersand is misinterpreted as a delimiter for a new key-value pair. This allows the attacker to inject arbitrary parameters into the function call, like injecting a new `public_id` parameter. These injected parameters can override existing ones or introduce new, unintended options, potentially leading to security check bypasses, data manipulation, or other malicious behavior by influencing the SDK’s interaction with the Cloudinary API.
Platform: Cloudinary Node.js SDK
Version: < 2.7.0
Vulnerability : Argument Injection
Severity: High
date: 2025-11-10
Prediction: 2025-11-24
What Undercode Say:
`curl -s “https://api.cloudinary.com/v1_1/…/image/upload” -F “[email protected]” -F “tags=custom&public_id=injected”`
`cloudinary.uploader.upload(“file.jpg”, { tags: “test&transformation=/w_100” })`
How Exploit:
An attacker crafts an image tag value like “profile&public_id=../../sensitive”. When the application uses this value in an upload or transformation function, the `public_id` parameter is injected, potentially overwriting or accessing unauthorized files.
Protection from this CVE
Upgrade the `cloudinary` npm package to version 2.7.0 or later. The patch implements proper escaping for parameter values containing ampersands, preventing them from being interpreted as delimiters.
Impact:
This can lead to unauthorized file overwrites, data manipulation, access to restricted resources, and a bypass of security controls within the application’s use of Cloudinary.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
