JiangQie Free Mini Program CVE-2024-49314
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in jiangqie JiangQie Free Mini Program jiangqie-free-mini-program allows Upload a Web Shell to a Web Server.This issue affects JiangQie Free Mini Program: from n/a through <= 2.5.2.
AnalysisAI
Unrestricted file upload in JiangQie Free Mini Program (versions up to and including 2.5.2) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope-changed impact reflects critical severity, though no public exploit is identified at time of analysis and EPSS of 0.89% places exploitation probability in the 75th percentile - elevated but not yet indicative of mass exploitation.
Technical ContextAI
The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw where a web application fails to validate the type, content, or extension of files submitted via an upload endpoint. JiangQie Free Mini Program is a free mini-program framework typically used to build WeChat-style mini-application backends; when its upload handler accepts arbitrary file types - including server-executable scripts such as PHP, JSP, or ASP - an attacker can place executable content into a web-accessible directory. Once written, requesting the uploaded file causes the underlying web server to execute it as code, yielding remote command execution under the privileges of the web server process.
Affected ProductsAI
JiangQie Free Mini Program (jiangqie-free-mini-program) from an unspecified initial version through and including 2.5.2 is affected, per the Patchstack-coordinated disclosure. No CPE string was provided in the input, and no vendor advisory URL was included in references, so the exact upper-bound fixed release should be verified directly with the vendor or via the Patchstack database entry for CVE-2024-49314.
RemediationAI
No vendor-released patch is independently confirmed from the available data; administrators should monitor the JiangQie project for a release later than 2.5.2 and check the Patchstack advisory for the fixed version. As compensating controls until a patch is applied, restrict access to upload endpoints via authentication or IP allowlisting at the web server or reverse proxy layer (trade-off: may break legitimate mini-program submissions); enforce server-side MIME and extension allowlists at a WAF, blocking .php, .jsp, .asp, .aspx, .phtml, and similar executable extensions (trade-off: bypassable via double extensions or content sniffing if filtering is weak); and configure the upload destination directory to disable script execution via web server directives such as Apache's RemoveHandler / php_flag engine off or nginx location blocks that return static content only (trade-off: requires careful path scoping to avoid disabling legitimate functionality).
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today