Server side cross-site scripting In nocodb
Description
NocoDB: Stored Cross-Site Scripting via Secure Attachment
Summary
With NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or
.svg attachments that the browser rendered inline from the NocoDB origin instead of
forcing a download.
Details
The signed attachment handler stored response-header overrides under PascalCase keys
(ResponseContentDisposition, ResponseContentType) while the controller that served
the file read them under lowercase-hyphen names (response-content-disposition). The
mismatch dropped the Content-Disposition: attachment header, leaving Express to
auto-render .html, .svg, and similar inline. The fix corrects the key case and
additionally forces Content-Disposition: attachment and
Content-Type: application/octet-stream for any MIME type not on the preview
allowlist.
Impact
Stored Cross-Site Scripting in the NocoDB origin from inline-rendered uploads. Script
executing in the victim's browser can read the auth JWT from localStorage.
Exploitation requires authenticated upload permission and the secure-attachment mode
to be enabled.
Credit
This issue was reported by @bugbunny-research. It was independently reported by @DavidCarliez.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version |
|---|---|---|
 npm |
Aliases
References