GHSA-HMCR-RMJQ-47QR

Vulnerability from github – Published: 2026-06-17 14:08 – Updated: 2026-06-17 14:08
VLAI
Summary
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Details

Summary

The spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv (for example https://example.com/robots.txt?.csv) satisfied the gate even though the underlying request was for robots.txt.

Details

Three layers of protection now apply to the endpoint:

  • The controller is decorated with @UseGuards(DataApiLimiterGuard, GlobalGuard) and @Acl('fetchViaUrl'), so unauthenticated callers and callers without the editor role are rejected before the request body is processed.
  • The extension allowlist is tested against url.pathname only. Callers can no longer satisfy the regex by appending a .csv suffix to the query string.
  • The downstream axios call is wired to useAgent(url) from request-filtering-agent, which blocks RFC 1918, loopback, link-local, and other private destinations at the socket layer.

Impact

Unauthenticated callers could previously coerce the NocoDB process to issue HTTP requests on their behalf, including to internal services reachable from the host. With the auth gate in place and the pathname-anchored extension check combined with socket-layer destination filtering, the endpoint is no longer usable as a generic proxy and can no longer reach private ranges.

Credit

This issue was reported by the GitHub Security Lab (@p-, @m-y-mo).

Severity
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-441",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T14:08:26Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe spreadsheet-import endpoint `axiosRequestMake` could be used as a generic\nHTTP proxy. Before the fix it was reachable unauthenticated, and its\nURL-extension allowlist was a regex tested against the full URL string, so\nURLs whose query string ended in `.csv` (for example\n`https://example.com/robots.txt?.csv`) satisfied the gate even though the\nunderlying request was for `robots.txt`.\n\n### Details\nThree layers of protection now apply to the endpoint:\n\n- The controller is decorated with `@UseGuards(DataApiLimiterGuard, GlobalGuard)`\n  and `@Acl(\u0027fetchViaUrl\u0027)`, so unauthenticated callers and callers without\n  the editor role are rejected before the request body is processed.\n- The extension allowlist is tested against `url.pathname` only. Callers can\n  no longer satisfy the regex by appending a `.csv` suffix to the query\n  string.\n- The downstream axios call is wired to `useAgent(url)` from\n  `request-filtering-agent`, which blocks RFC 1918, loopback, link-local,\n  and other private destinations at the socket layer.\n\n### Impact\nUnauthenticated callers could previously coerce the NocoDB process to issue\nHTTP requests on their behalf, including to internal services reachable from\nthe host. With the auth gate in place and the pathname-anchored extension\ncheck combined with socket-layer destination filtering, the endpoint is no\nlonger usable as a generic proxy and can no longer reach private ranges.\n\n### Credit\nThis issue was reported by the [GitHub Security Lab](https://securitylab.github.com/)\n([@p-](https://github.com/p-), [@m-y-mo](https://github.com/m-y-mo)).",
  "id": "GHSA-hmcr-rmjq-47qr",
  "modified": "2026-06-17T14:08:26Z",
  "published": "2026-06-17T14:08:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-hmcr-rmjq-47qr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.