We have just released Mime v2.0.4 with a potential security fix. Before this version,
Mime.extensions("foo/bar+baz") would return “baz” as an extension, whatever “baz” is. So for example:
iex> Mime.extensions("foo/bar+custom/../baz/bat") "custom/../baz/bat"
This release makes it so it only returns known registered suffixes, by default: gzip, xml, json, and zip.
I have checked Plug, Phoenix, LiveView and I could not find any indication of this behavior being used as an attach vector. In any case, I recommend upgrading, especially if you use
Mime.extensions in your own application.
A huge thank you to @MullPointer for the original report: Only return extensions for known structured syntax suffixes by MullPointer · Pull Request #76 · elixir-plug/mime · GitHub