HTTP Query String Injection in unjs/unstorage


Reported on

Dec 30th 2022


The application does not properly sanitize query string parameters in the cloudflare-kv-http,github and http drivers. In the case of the github and http drivers there is no immediate vulnerability, however a slight risk is presented.

When a user controls a key within the cloudflare-kv-http driver the expiration and expiration_ttl parameters can be injected, allowing an attacker to modify the availability of an item.

This vulnerability is fairly minor, however in combination with a vulnerability in the cloudflare service, or github, or other HTTP service, sensitive parameters may be injected. There may also be undocumented query string parameters within these services.

Path traversals may also be possible in some services which normalise sequences of ../.

Proof of Concept

Set up the cloudflare-kv-http driver.

Send a request with the following key anything?expiration_ttl=1.

Observe that the key is removed shortly after creation.


Impacting the availability of user provided or user influenced keys.

We are processing your report and will contact the unjs/unstorage team within 24 hours. 3 months ago
We have contacted a member of the unjs/unstorage team and are waiting to hear back 3 months ago
unjs/unstorage maintainer has acknowledged this report 3 months ago
pooya parsa validated this vulnerability a month ago
OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pooya parsa marked this as fixed in 1.1.4 with commit cc3ebb a month ago
pooya parsa has been awarded the fix bounty
This vulnerability will not receive a CVE
pooya parsa published this vulnerability a month ago
to join this conversation