GHSA-QWXP-6QF9-WR4M
Vulnerability from github – Published: 2026-03-18 16:34 – Updated: 2026-03-20 21:28The /download endpoint validates only the initial URL provided by the user using validateDownloadURL() to prevent requests to internal or private network addresses.
Exploitation requires \security.allowDownload=true, which is disabled by default.
However, pages loaded by the embedded Chromium browser can trigger additional browser-side requests (for example, JavaScript redirects, navigations, or resource requests) after the initial validation step.
Because the validation is only applied to the initial URL and not to subsequent browser-issued request targets, an attacker-controlled page can cause the browser to issue requests to internal network services reachable from the PinchTab host.
This results in a blind Server-Side Request Forgery (SSRF) condition in which internal-only services may be accessed and state-changing endpoints may be triggered without returning the response body to the attacker.
Steps to Reproduce:
Environment Setup Target: PinchTab server (tested on v0.8.x, v0.7.x) Attacker-controlled server: Publicly accessible (e.g., via ngrok) attacker.py Internal service: Runs on the same host as PinchTab and is not externally accessible internal_service.py
1. Start a Local Internal Service (Victim Side)
Run a simple HTTP service bound to localhost: internal_service.py
python internal_service.py
#Example behavior of internal_service.py:
#Listens on 127.0.0.1:1337
#Exposes endpoint /increment
#Increments a counter and logs requests
#Expected output when accessed:
#COUNTER INCREMENTED: 1
#COUNTER INCREMENTED: 2
2. Host an Attacker-Controlled Page (Attacker side)
Deploy a malicious HTML page that redirects to the internal service: attacker.py
<html>
<body>
<script>
setTimeout(function(){
window.location = "http://127.0.0.1:1337/increment";
}, 1500);
</script>
</body>
</html>
Host this page on a publicly accessible server (e.g., using ngrok): https://fcb8-180-149-93-3.ngrok-free.app
3. Trigger the Vulnerable Endpoint (Attacker side)
Send a request to the PinchTab /download endpoint:
curl "http://[server-ip]:9867/download?url=https://fcb8-180-149-93-3.ngrok-free.app"
If a server token is configured, the request must include valid authentication.
4. Observe Server-Side Request to Localhost
When PinchTab processes the request: 1. It launches a headless Chromium instance 2. The browser loads the attacker-controlled page 3. JavaScript executes within the browser 4. The browser redirects to: http://127.0.0.1:1337/increment
5. Verify the Impact
Check the output of internal_service.py:
COUNTER INCREMENTED: 1
This confirms that the request originated from the PinchTab host and that an attacker can successfully access localhost-only internal services via the browser, despite the initial URL validation.
Impact
This vulnerability allows an attacker to bypass the /download URL validation and cause the embedded Chromium browser to make requests to internal network services. By hosting a page that performs a redirect after the initial validation, an attacker can force the browser to access resources such as 127.0.0.1 or other private network addresses reachable from the PinchTab host.
Although the response is not returned to the attacker (blind SSRF), this behavior can still be used to interact with internal services and trigger state-changing endpoints. In environments where sensitive services or cloud metadata endpoints are accessible from the host, this could lead to more serious security impact.
Mitigation
Apply the same URL safety policy to every browser-issued request in the /download flow, not only the initial user-supplied URL, and block requests to loopback, private, link-local, and other non-public network ranges inside the Chromium browser context.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/pinchtab/pinchtab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33081"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T16:34:00Z",
"nvd_published_at": "2026-03-20T10:16:18Z",
"severity": "MODERATE"
},
"details": "### **The /download endpoint validates only the initial URL provided by the user using validateDownloadURL() to prevent requests to internal or private network addresses.**\n\nExploitation requires \\security.allowDownload=true`, which is disabled by default.`\n\nHowever, pages loaded by the embedded Chromium browser can trigger additional browser-side requests (for example, JavaScript redirects, navigations, or resource requests) after the initial validation step.\n\nBecause the validation is only applied to the initial URL and not to subsequent browser-issued request targets, an attacker-controlled page can cause the browser to issue requests to internal network services reachable from the PinchTab host.\n\nThis results in a blind Server-Side Request Forgery (SSRF) condition in which internal-only services may be accessed and state-changing endpoints may be triggered without returning the response body to the attacker.\n\n\n### **Steps to Reproduce:**\n\n**Environment Setup**\nTarget: PinchTab server (tested on v0.8.x, v0.7.x)\nAttacker-controlled server: Publicly accessible (e.g., via ngrok) [attacker.py](https://github.com/user-attachments/files/26013554/att.py)\nInternal service: Runs on the same host as PinchTab and is not externally accessible [internal_service.py](https://github.com/user-attachments/files/26013551/internal.py)\n\n**1. Start a Local Internal Service (Victim Side)**\n\nRun a simple HTTP service bound to localhost: [internal_service.py](https://github.com/user-attachments/files/26013551/internal.py)\n \n python internal_service.py\n \n #Example behavior of internal_service.py:\n #Listens on 127.0.0.1:1337\n #Exposes endpoint /increment\n #Increments a counter and logs requests\n \n #Expected output when accessed:\n #COUNTER INCREMENTED: 1\n #COUNTER INCREMENTED: 2\n\n**2. Host an Attacker-Controlled Page (Attacker side)**\n\nDeploy a malicious HTML page that redirects to the internal service: [attacker.py](https://github.com/user-attachments/files/26013554/att.py)\n\n \u003chtml\u003e\n \u003cbody\u003e\n \u003cscript\u003e\n setTimeout(function(){\n window.location = \"http://127.0.0.1:1337/increment\";\n }, 1500);\n \u003c/script\u003e\n \u003c/body\u003e\n \u003c/html\u003e\nHost this page on a publicly accessible server (e.g., using ngrok): https://fcb8-180-149-93-3.ngrok-free.app\n\n\n**3. Trigger the Vulnerable Endpoint (Attacker side)**\n\nSend a request to the PinchTab /download endpoint:\n\n curl \"http://[server-ip]:9867/download?url=https://fcb8-180-149-93-3.ngrok-free.app\"\n\nIf a server token is configured, the request must include valid authentication.\n\n**4. Observe Server-Side Request to Localhost**\n\nWhen PinchTab processes the request:\n1. It launches a headless Chromium instance\n2. The browser loads the attacker-controlled page\n3. JavaScript executes within the browser\n4. The browser redirects to: http://127.0.0.1:1337/increment\n\n\n**5. Verify the Impact**\n\nCheck the output of internal_service.py:\n \u003cimg width=\"718\" height=\"156\" alt=\"proof\" src=\"https://github.com/user-attachments/assets/cf00e3e6-71c6-44ae-83b0-ed819f19ee9a\" /\u003e\n\nCOUNTER INCREMENTED: 1\n \u003cimg width=\"718\" height=\"282\" alt=\"proof_incremented\" src=\"https://github.com/user-attachments/assets/98281b8e-221b-4e76-a10b-1b2335d08c61\" /\u003e\n\n**This confirms that the request originated from the PinchTab host and that an attacker can successfully access localhost-only internal services via the browser, despite the initial URL validation.**\n\n\n### **Impact**\nThis vulnerability allows an attacker to bypass the /download URL validation and cause the embedded Chromium browser to make requests to internal network services. By hosting a page that performs a redirect after the initial validation, an attacker can force the browser to access resources such as 127.0.0.1 or other private network addresses reachable from the PinchTab host.\n\nAlthough the response is not returned to the attacker (blind SSRF), this behavior can still be used to interact with internal services and trigger state-changing endpoints. In environments where sensitive services or cloud metadata endpoints are accessible from the host, this could lead to more serious security impact.\n\n### **Mitigation**\nApply the same URL safety policy to every browser-issued request in the `/download` flow, not only the initial user-supplied URL, and block requests to loopback, private, link-local, and other non-public network ranges inside the Chromium browser context.",
"id": "GHSA-qwxp-6qf9-wr4m",
"modified": "2026-03-20T21:28:07Z",
"published": "2026-03-18T16:34:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-qwxp-6qf9-wr4m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33081"
},
{
"type": "PACKAGE",
"url": "https://github.com/pinchtab/pinchtab"
},
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.