Apache Cordova plugin cordova-plugin-file-transfer vulnerable to HTTP header injection


cordova-plugin-file-transfer, a plugin for Apache Cordova provided by the Apache Software Foundation, provides functionality to upload and download files in applications created by Apache Cordova. It also provides functionality to add HTTP headers.
Android applications that use cordova-plugin-file-transfer contain a HTTP header injection vulnerability due to a flaw in processing file names.

Muneaki Nishimura of Sony Digital Network Applications, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Apache Software Foundation
  • cordova-plugin-file-transfer 1.2.1 and earlier versions


File name inclusion in additional HTTP headers may result in a forged webpage to be displayed on the user's web browser, arbitrary script execution, or setting arbitrary values for cookies.

[Update the plugin and rebuild the application]
Update cordova-plugin-file-transfer to 1.3.0 or above versions and rebuild the application.
According to the developer, the updated version is compliant with RFC2616, therefore any non-ASCII characters and control characters will be deleted when adding HTTP headers.

For more information, please refer to the information provided by the developer.
Vendor Information

Apache Software Foundation
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-5204

  1. JVN : JVN#21612597
  2. National Vulnerability Database (NVD) : CVE-2015-5204
Revision History

  • [2015/09/29]
      Web page was published
      References : Content was added