StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
- Severity:
- High
Description
The S3 storage manager’s isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check.
Recommendation
Update the @studiocms/s3-storage package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.3.0
- Patched version(s): 0.3.1
References
Related Issues
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679
- LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header - CVE-2026-39411
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
You might also like:
- Tags:
- npm
- @studiocms/s3-storage
Anything's wrong? Let us know Last updated on March 12, 2026