[SECURITY] /api/images is publically accessible by default & Image upload validation is insufficient. #819
Description
Hello,
I have been spending a little time hacking on this platform just for the joy of finding security bugs and it appears that by default an unauthenticated user can simply upload files and create directories with the /api/images end point.
I simply pulled the latest version on the code and ran it based on the steps provided in the documentation. I found the API endpoint by uploading an image for a new product via the admin panel. I Copied the POST request from Burpsuite and removed my cookies from the request. To my surprised re-sending the POST request allows an unauthenticated user to upload any file they like to the server.
While I was not able to create any additional exploitation after the file upload it should be noted that this would still be a valid DOS attack if one just continually uploaded large files to fill up the drive on the server.
Additionally I see there is an attempt to restrict the types of files a user can upload in getMulter.js but this actually doesn't work. This code only checks the MIME type specified in the post request. I can upload any file I please (.js, .sh, .bin, etc.) I would recommend checking the actual file extension or even better the magic byte in the file.
As I said earlier, thankfully I was not able to get remote code execution but one can imagine the other types of attacks that could be perpetrated (like XSS by uploading an entirely new .html file)
Edited for MITRE - 12/02/25
Product: Evershop
Effected version: Evershop - 2.0.1
CVE: CVE-2025-65844
Vulnerability Type: Unrestricted file upload
Thank you for your time.