Attackers can bypass file upload restrictions in Flask-Reuploaded to write malicious files to the server, leading to full remote code execution and system compromise.

The flaw involves a combination of path traversal and extension bypass. Attackers can manipulate the name parameter to write files to unintended locations. If these files are processed as templates, it leads to SSTI and subsequent RCE.

Successful exploitation allows an attacker to gain a persistent foothold on the server. By achieving RCE, they can steal application data, access backend databases, or use the server as a pivot point for further internal network attacks. The CVSS score of 9.8 reflects the high probability of total system compromise.

Immediate Action: Update Flask-Reuploaded to version 1.5.0. If an immediate update is not possible, ensure that user input is never passed to the name parameter and use auto-generated filenames.

Proactive Monitoring: Scan the application's upload directories for files with unexpected extensions or those containing template syntax (e.g., {{ ... }}).

Compensating Controls: Implement strict input validation for all upload parameters and run the application in a containerized environment with a read-only root filesystem where possible.

Public Exploit Available: No

The risk of RCE via SSTI makes this a critical priority for any Flask-based application using this library. We strongly recommend immediate migration to version 1.5.0 and the adoption of secure file-naming conventions to prevent similar path traversal issues in the future.