Skip to main content

JiangQie Free Mini Program CVE-2024-49314

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-17 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 29, 2026 - 10:22 NVD
10.0 (CRITICAL)
CVE Published
Oct 17, 2024 - 18:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in jiangqie JiangQie Free Mini Program jiangqie-free-mini-program allows Upload a Web Shell to a Web Server.This issue affects JiangQie Free Mini Program: from n/a through <= 2.5.2.

AnalysisAI

Unrestricted file upload in JiangQie Free Mini Program (versions up to and including 2.5.2) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope-changed impact reflects critical severity, though no public exploit is identified at time of analysis and EPSS of 0.89% places exploitation probability in the 75th percentile - elevated but not yet indicative of mass exploitation.

Technical ContextAI

The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw where a web application fails to validate the type, content, or extension of files submitted via an upload endpoint. JiangQie Free Mini Program is a free mini-program framework typically used to build WeChat-style mini-application backends; when its upload handler accepts arbitrary file types - including server-executable scripts such as PHP, JSP, or ASP - an attacker can place executable content into a web-accessible directory. Once written, requesting the uploaded file causes the underlying web server to execute it as code, yielding remote command execution under the privileges of the web server process.

Affected ProductsAI

JiangQie Free Mini Program (jiangqie-free-mini-program) from an unspecified initial version through and including 2.5.2 is affected, per the Patchstack-coordinated disclosure. No CPE string was provided in the input, and no vendor advisory URL was included in references, so the exact upper-bound fixed release should be verified directly with the vendor or via the Patchstack database entry for CVE-2024-49314.

RemediationAI

No vendor-released patch is independently confirmed from the available data; administrators should monitor the JiangQie project for a release later than 2.5.2 and check the Patchstack advisory for the fixed version. As compensating controls until a patch is applied, restrict access to upload endpoints via authentication or IP allowlisting at the web server or reverse proxy layer (trade-off: may break legitimate mini-program submissions); enforce server-side MIME and extension allowlists at a WAF, blocking .php, .jsp, .asp, .aspx, .phtml, and similar executable extensions (trade-off: bypassable via double extensions or content sniffing if filtering is weak); and configure the upload destination directory to disable script execution via web server directives such as Apache's RemoveHandler / php_flag engine off or nginx location blocks that return static content only (trade-off: requires careful path scoping to avoid disabling legitimate functionality).

Share

CVE-2024-49314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy