GHSA-H5X8-XP6M-X6Q4: GHSA-H5X8-XP6M-X6Q4: Unvalidated Signature Generation in @jhb.software/payload-cloudinary-plugin

GHSA-H5X8-XP6M-X6Q4: Unvalidated Signature Generation in @jhb.software/payload-cloudinary-plugin

Vulnerability ID: GHSA-H5X8-XP6M-X6Q4
CVSS Score: 7.1
Published: 2026-06-19

The @jhb.software/payload-cloudinary-plugin exposes an endpoint that performs unvalidated cryptographic signing of Cloudinary API parameters, allowing authenticated users with minimal privileges to forge valid signatures for arbitrary actions. This flaw allows attackers to overwrite remote storage assets, execute unauthorized file uploads, alter asset visibility parameters, trigger SSRF webhooks, and perform directory traversal within Cloudinary repositories.

TL;DR

The @jhb.software/payload-cloudinary-plugin fails to validate client-supplied parameters passed to Cloudinary's cryptographic signing helper. Authenticated users can obtain mathematically valid HMAC-SHA1 signatures for any arbitrary payload, creating a signature oracle to overwrite files, bypass visibility rules, or trigger outbound SSRF webhooks.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-347 (Improper Verification of Cryptographic Signature)
• Attack Vector: Network (Unauthenticated or Low-Privilege authenticated API interaction)
• CVSS Score: 7.1 (High)
• Impact: Integrity Loss, Server-Side Request Forgery, Directory Traversal, CDN Invalidation
• Exploit Status: Proof-of-Concept Available
• KEV Status: Not Listed

Affected Systems

• Systems deploying @jhb.software/payload-cloudinary-plugin versions between 0.3.0 and 0.4.0 with clientUploads enabled.
• @jhb.software/payload-cloudinary-plugin: >= 0.3.0 < 0.4.0 (Fixed in: 0.4.0)

Exploit Details

• GitHub Security Advisory: Advisory containing technical description and proof of concept parameters.

Mitigation Strategies

• Upgrade payload-cloudinary-plugin to version 0.4.0 or higher.
• Disable client-side direct uploads by setting clientUploads to false in the configuration.
• Configure strict directory path restrictions in the plugin settings to restrict uploads to a specific target folder.
• Deploy WAF rule policies to inspect and filter parameters sent to the signing endpoint.

Remediation Steps:

1. Audit the package-lock.json or yarn.lock file to identify installations of @jhb.software/payload-cloudinary-plugin below version 0.4.0.
2. Modify the project package.json to specify version ^0.4.0 of the plugin.
3. Execute the package manager's installation command (npm install or yarn install) to pull and apply the patch.
4. If upgrading is delayed, locate the payload configuration file and set clientUploads: false under the cloudinary plugin properties block.
5. Deploy updated WAF rules to detect and reject requests containing prohibited fields in signature generation payloads.

References

• GHSA-H5X8-XP6M-X6Q4 Security Advisory
• Software Package GitHub Repository
• OSV Database Entry

---

Read the full report for GHSA-H5X8-XP6M-X6Q4 on our website for more details including interactive diagrams and full exploit analysis.