Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload

GHSA-g9f6-9775-hffm · CVE-2026-33221 · GO-2026-4759

Published Mar 18, 2026 · Modified Jun 9, 2026

Description

Summary

The storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.

Affected Component

Service: services/storage
File: services/storage/controller/upload_files.go
Function: getMultipartFile (lines 48-70)

Root Cause

In getMultipartFile, if the client provides a non-empty Content-Type header that isn't application/octet-stream, the function returns it as-is without performing content-based detection:

contentType := file.header.Header.Get("Content-Type")
if contentType != "" && contentType != "application/octet-stream" {
    return fileContent, contentType, nil // skip detection entirely
}

// mimetype.DetectReader only reached if client sends no Content-Type
// or sends application/octet-stream
mt, err := mimetype.DetectReader(fileContent)

Impact

Incorrect MIME type in file metadata. The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type.

Suggested Fix

Always detect MIME type from file content using mimetype.DetectReader, ignoring the client-provided Content-Type header entirely.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes