GHSA-RW8P-C6HF-Q3PG

Vulnerability from github – Published: 2026-03-06 18:40 – Updated: 2026-03-09 15:50
VLAI?
Summary
PinchTab has SSRF with Full Response Exfiltration via Download Handler
Details

SSRF with Full Response Exfiltration via Download Handler

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.

Details

The GET /download?url=<url> handler in download.go accepts a user-controlled url parameter and passes it directly to chromedp.Navigate(dlURL) without any validation or sanitization.

// internal/handlers/download.go:78
if err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {
    return fmt.Errorf("navigate to %s: %w", dlURL, err)
}

Since the request is performed by the headless Chrome browser instance managed by PinchTab, it can access: 1. Local Files: Using the file:// scheme (e.g., file:///etc/passwd). 2. Internal Services: Accessing services bound to localhost or internal network IPs that are not reachable from the outside. 3. Cloud Metadata: Accessing cloud provider metadata endpoints (e.g., 169.254.169.254).

The server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.

PoC

To reproduce the vulnerability, ensure the PinchTab server is running and accessible.

  1. Local File Read: Execute the following curl command to read /etc/passwd: bash curl -X GET "http://localhost:9867/download?url=file:///etc/passwd"

  2. Internal Service Access: If a service is running on localhost:8080, access it via: bash curl -X GET "http://localhost:9867/download?url=http://localhost:8080/internal-admin"

The response will contain the content of the targeted file or service.

PoC video:

https://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f

Impact

This is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.7.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pinchtab/pinchtab/cmd/pinchtab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T18:40:58Z",
    "nvd_published_at": "2026-03-07T16:15:56Z",
    "severity": "HIGH"
  },
  "details": "# SSRF with Full Response Exfiltration via Download Handler\n\n### Summary\nA Server-Side Request Forgery (SSRF) vulnerability in the `/download` endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.\n\n### Details\nThe `GET /download?url=\u003curl\u003e` handler in [download.go](file:///Users/quan.m.le/Workspaces/pinchtab/internal/handlers/download.go#L78) accepts a user-controlled `url` parameter and passes it directly to `chromedp.Navigate(dlURL)` without any validation or sanitization.\n\n```go\n// internal/handlers/download.go:78\nif err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {\n    return fmt.Errorf(\"navigate to %s: %w\", dlURL, err)\n}\n```\n\nSince the request is performed by the headless Chrome browser instance managed by PinchTab, it can access:\n1.  **Local Files**: Using the `file://` scheme (e.g., `file:///etc/passwd`).\n2.  **Internal Services**: Accessing services bound to `localhost` or internal network IPs that are not reachable from the outside.\n3.  **Cloud Metadata**: Accessing cloud provider metadata endpoints (e.g., `169.254.169.254`).\n\nThe server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.\n\n### PoC\nTo reproduce the vulnerability, ensure the PinchTab server is running and accessible.\n\n1.  **Local File Read**:\n    Execute the following curl command to read `/etc/passwd`:\n    ```bash\n    curl -X GET \"http://localhost:9867/download?url=file:///etc/passwd\"\n    ```\n\n2.  **Internal Service Access**:\n    If a service is running on `localhost:8080`, access it via:\n    ```bash\n    curl -X GET \"http://localhost:9867/download?url=http://localhost:8080/internal-admin\"\n    ```\n\nThe response will contain the content of the targeted file or service.\n\n\nPoC video:\n\nhttps://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f\n\n### Impact\nThis is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.",
  "id": "GHSA-rw8p-c6hf-q3pg",
  "modified": "2026-03-09T15:50:19Z",
  "published": "2026-03-06T18:40:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-rw8p-c6hf-q3pg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30834"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pinchtab/pinchtab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PinchTab has SSRF with Full Response Exfiltration via Download Handler"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.