CVE-2020-15135: save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in...

Description

save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. They can in addition create, delete and update users. If they updated the password of a user, that user's files would then be available. If the root password is updated, all files would be visible if they logged in with the new password. Note that due to the same origin policy malicious actors cannot view the gallery or the response of any of the methods, nor be sure they succeeded. This issue has been patched in version 1.0.7.

Metrics

CVSS 3.1

7.6/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

EPSS Probability

0.72%

49.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Save-Server Project	Save-Server	< 1.0.5

References

https://github.com/Neztore/save-server/security/advisories/GHSA-wwrj-35w6-77ffThird Party Advisory
https://medium.com/cross-site-request-forgery-csrf/double-submit-cookie-pattern-65bb71d80d9fExploit, Third Party Advisory
https://www.npmjs.com/package/save-serverProduct, Third Party Advisory
https://github.com/Neztore/save-server/security/advisories/GHSA-wwrj-35w6-77ffThird Party Advisory
https://medium.com/cross-site-request-forgery-csrf/double-submit-cookie-pattern-65bb71d80d9fExploit, Third Party Advisory
https://www.npmjs.com/package/save-serverProduct, Third Party Advisory

Timeline

Published: Aug 4, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-15135?

save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. They can in addition create, delete and update users. If they updated the password of a user, that user's files would then be available. If the root password is updated, all files would be visible if they logged in with the new password. Note that due to the same origin policy malicious actors cannot view the gallery or the response of any of the methods, nor be sure they succeeded. This issue has been patched in version 1.0.7.

How severe is CVE-2020-15135?

CVE-2020-15135 has a CVSS score of 7.6/10 (HIGH severity). The EPSS model estimates a 0.72% probability of exploitation in the next 30 days.

How do I fix CVE-2020-15135?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.