Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit.
Impact
Any guest with access to a shared file request link can upload files far larger than the administrator-configured size limit, up to the server's global MaxFileSizeMB. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion. No data exposure or privilege escalation occurs.
AnalysisAI
A validation bypass in the chunked file upload completion logic for file requests allows attackers to circumvent per-request file size limits by splitting oversized files into smaller chunks that individually pass validation. Attackers with access to a public file request link can sequentially upload chunks to exceed the administrator-configured MaxSize limit, uploading files up to the server's global MaxFileSizeMB threshold. This enables unauthorized storage consumption and potential service disruption through storage exhaustion, though no data exposure or privilege escalation occurs; the vulnerability carries a CVSS score of 4.3 with EPSS and KEV status not currently indicated as critical, suggesting limited real-world exploitation pressure despite straightforward attack mechanics.
Technical ContextAI
The vulnerability exists in the file request upload completion endpoint, which implements chunked transfer encoding to support large file uploads. The root cause is classified under CWE-20 (Improper Input Validation), specifically the failure to validate the aggregate file size against the per-request MaxSize parameter during chunk reassembly. The upload service validates individual chunks against MaxSize but does not perform cumulative validation when combining chunks into the final file during the completion phase. This is a classic input validation flaw where boundary checks are performed at an intermediate step but bypassed at the final assembly stage. The affected technology involves HTTP chunked transfer encoding combined with a multi-stage upload workflow that separates chunk acceptance from final size validation.
RemediationAI
Implement cumulative file size validation in the chunked upload completion handler to verify that the total reassembled file size does not exceed the per-request MaxSize limit, in addition to existing per-chunk validation. Apply the vendor patch or upgrade to the patched version once available from your vendor's security advisory. As an interim mitigation, reduce the global MaxFileSizeMB configuration to match or be slightly above the largest permissible per-request MaxSize to limit the damage radius, implement server-side monitoring and alerting for unusual upload patterns or rapid sequential chunk uploads, and consider restricting file request links to authenticated users only or enabling rate limiting on chunk upload endpoints. Additionally, enforce storage quota enforcement at the filesystem or container level to prevent storage exhaustion from causing complete service denial.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12080
GHSA-45vh-rpc8-hxpp