js · @jhb.software/payload-cloudinary-pluginCritical
@jhb.software/payload-cloudinary-plugin: Unrestricted signature generation via paramsToSign
The plugin's signing endpoint at POST /api/cloudinary-generate-signature passes attacker-supplied paramsToSign directly to cloudinary.
What changed
The plugin's signing endpoint at POST /api/cloudinary-generate-signature passes attacker-supplied paramsToSign directly to cloudinary.utils.api_sign_request() without any allowlist or validation, allowing any authenticated user to obtain valid Cloudinary signatures for arbitrary upload parameters.
Who it affects
All deployments with clientUploads: true enabled.
What to do today
Disable clientUploads: true or apply the recommended fix that restricts allowed keys to timestamp, folder, and public_id, validates folder against the configured folder option, and rejects path traversal sequences.
The trail
Collected→
Audited→
Written→
Published