Payload CMS is an open-source headless content management system that supports multiple cloud storage backends including AWS S3, Google Cloud Storage (GCS), Azure Blob Storage, and Cloudflare R2. Prior to version 3.78.0, the client-upload signed-URL endpoints in the @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3 packages did not properly sanitize filenames provided by users. This improper validation allowed attackers to perform path traversal attacks (CWE-22), where specially crafted filenames containing directory traversal sequences (e.g., '../') could escape the intended storage directory boundaries. As a result, an attacker with limited privileges could upload files outside the designated storage location, potentially overwriting critical files or injecting malicious content into other parts of the storage system. The vulnerability affects all versions before 3.78.0 and has been addressed by sanitizing filenames to restrict them within the intended directories. The CVSS 3.1 base score is 6.5, indicating a medium severity vulnerability with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting integrity without affecting confidentiality or availability. No known exploits are reported in the wild yet. This vulnerability highlights the importance of strict input validation on file uploads, especially when generating signed URLs for cloud storage services.

The primary impact of this vulnerability is on the integrity of stored data. An attacker exploiting this flaw can overwrite or inject files outside the intended storage directories, potentially leading to unauthorized modification of content, defacement, or insertion of malicious files that could be executed or served to users. This could undermine trust in the CMS content, disrupt business operations, or facilitate further attacks such as webshell deployment or supply chain compromise. Since the vulnerability does not affect confidentiality or availability directly, data leakage or denial of service are less likely immediate consequences. However, the ability to place arbitrary files can be leveraged in multi-stage attacks. Organizations relying on Payload CMS with vulnerable versions and using cloud storage backends are at risk, especially if attackers have some level of authenticated access. The ease of exploitation and network accessibility make this a significant concern for web-facing applications. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks.

1. Upgrade Payload CMS to version 3.78.0 or later immediately to apply the official patch that properly sanitizes filenames and prevents path traversal. 2. Implement strict server-side validation of all filenames and paths used in file uploads, ensuring no directory traversal sequences are allowed. 3. Employ allowlists for acceptable filename characters and patterns to reduce injection risks. 4. Restrict permissions on storage buckets and directories to minimize the impact of any unauthorized file placement. 5. Monitor storage locations for unexpected or suspicious files that could indicate exploitation attempts. 6. Use cloud provider security features such as bucket policies, object lifecycle rules, and logging to detect and prevent unauthorized access or modifications. 7. Conduct regular security audits and penetration testing focused on file upload and storage mechanisms. 8. Educate developers and administrators on secure handling of file uploads and the risks of path traversal vulnerabilities.