Summary
When upload.useTempFiles: true is configured globally, MIME type restrictions on upload collections can be completely bypassed, allowing upload of dangerous file types (HTML, JS, SVG with scripts).
Root Cause
File: packages/payload/src/uploads/checkFileRestrictions.ts:108
The temp file handler returns an empty buffer as file.data. fileTypeFromBuffer returns undefined for the empty buffer, and the fallback extension-based validation is gated behind !useTempFiles, causing it to be skipped entirely.
Preconditions
useTempFiles: true in root config- Collection has
mimeTypes configured (e.g., ['image/*'])
- Authenticated upload access
Impact
- Upload dangerous file types (HTML with JS, SVG with scripts) to image-only collections
validateSvg security check also bypassed- Potential stored XSS if uploaded files are served inline
Suggested Fix
Remove the !useTempFiles gate on the fallback validation, or read the beginning of the temp file for buffer-based type detection.
Summary
When
upload.useTempFiles: trueis configured globally, MIME type restrictions on upload collections can be completely bypassed, allowing upload of dangerous file types (HTML, JS, SVG with scripts).Root Cause
File:
packages/payload/src/uploads/checkFileRestrictions.ts:108The temp file handler returns an empty buffer as
file.data.fileTypeFromBufferreturnsundefinedfor the empty buffer, and the fallback extension-based validation is gated behind!useTempFiles, causing it to be skipped entirely.Preconditions
useTempFiles: truein root configmimeTypesconfigured (e.g.,['image/*'])Impact
validateSvgsecurity check also bypassedSuggested Fix
Remove the
!useTempFilesgate on the fallback validation, or read the beginning of the temp file for buffer-based type detection.