CVE-2017-1000052

HIGH7.8EPSS 0.25%

Null Byte Injection in Plug.Static

Published: 4/12/2022Modified: 12/10/2025

Description

Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.

Affected packages (1)

Hex/plugfrom 0, < 1.0.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000052
PATCHhttps://github.com/elixir-plug/plug
WEBhttps://elixirforum.com/t/security-releases-for-plug/3913