CVE-2026-38361
Remote Code Execution in Fohrloop Dash-Uploader
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fohrloop | dash-uploader | From 0.1.0 (inc) to 0.7.0a2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in dash-uploader allows remote attackers to execute arbitrary code and causes issues such as unbounded memory allocation, disk exhaustion, and file truncation. These issues can lead to denial of service and potential data destruction.
Because the vulnerability enables arbitrary file uploads without proper server-side validation and bypasses client-side file size limits, it poses significant risks to data integrity and availability.
Such risks can impact compliance with standards like GDPR and HIPAA, which require protection of personal data, ensuring data integrity, availability, and preventing unauthorized access or data loss.
The lack of active maintenance and no available patch further complicate compliance efforts, as organizations using this package may struggle to meet regulatory requirements for secure data handling and incident response.
Can you explain this vulnerability to me?
CVE-2026-38361 is a vulnerability in the Python package dash-uploader versions 0.1.0 through 0.7.0a2 that allows a remote attacker to execute arbitrary code. This occurs via components in dash_uploader such as httprequesthandler.py, upload.py (specifically the Upload function), and configure_upload.py, where unsanitized parameters and lack of proper checks enable exploitation.
The vulnerability includes multiple unauthenticated Denial of Service (DoS) issues such as Out-of-Memory crashes, file truncation to zero bytes, permanent disk exhaustion, and bypass of the max_file_size limit. The max_file_size parameter is only enforced on the client side, allowing attackers to upload files larger than intended.
These issues stem from unbounded memory allocation, file operations without proper validation, and directory creation without cleanup, which can be manipulated by attackers to cause server crashes, data destruction, and resource exhaustion.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution on the server running dash-uploader, leading to full compromise of the system.
Additionally, attackers can cause Denial of Service conditions by exhausting server memory and disk space, truncating files to zero bytes, and bypassing file size restrictions, which can disrupt service availability and lead to data loss.
Because the max_file_size parameter is only enforced client-side, attackers can upload arbitrarily large files, potentially filling up disk space and causing permanent disk exhaustion or inode exhaustion.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthenticated Denial of Service (DoS) attacks exploiting the dash-uploader package by sending specially crafted HTTP requests that bypass the max_file_size limit and cause resource exhaustion or file truncation.
To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the dash_uploader endpoints, especially those involving the Upload function and the max_file_size parameter.
Suggested commands include using network monitoring tools or web server logs to identify unusual POST requests to dash_uploader upload endpoints, for example:
- Using grep on web server logs to find suspicious upload requests: grep -i 'dash_uploader' /var/log/nginx/access.log | grep POST
- Using tcpdump or Wireshark to capture HTTP traffic and filter for requests containing 'max_file_size' parameter.
- Checking for unusually large or malformed upload requests that could indicate attempts to bypass size limits or cause resource exhaustion.
Since the vulnerability exploits unsanitized HTTP parameters, monitoring for repeated or abnormal POST requests to the dash_uploader upload endpoints is key.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this vulnerability include:
- Migrate away from dash-uploader to a safer alternative such as Plotly Dash's built-in dcc.Upload component, which does not have this vulnerability.
- Implement a custom Flask upload handler that enforces server-side file size limits and sanitizes all input parameters to prevent arbitrary code execution and resource exhaustion.
- Apply reverse-proxy or Web Application Firewall (WAF) rules to rate-limit or block suspicious upload requests targeting dash_uploader endpoints.
- Regularly clean up temporary upload files and monitor disk usage to prevent permanent disk exhaustion caused by orphaned temporary files.
Note that no patch is available because the project was archived and has no active maintainer, so these mitigation steps are critical to reduce risk.