How the CVE Works:
The vulnerability in `got.scraping` arises due to insufficient IP validation during HTTP redirections. When Summaly processes a URL, it first sends a `HEAD` request and validates the IP address against a private IP blocklist. However, the subsequent `GET` request does not revalidate the IP if a redirect occurs. An attacker can exploit this by crafting a malicious server that responds to the `HEAD` request with a safe IP but redirects the `GET` request to an internal IP (e.g., `127.0.0.1` or 192.168.x.x). This bypasses Summaly’s IP filtering, allowing SSRF (Server-Side Request Forgery) and internal network reconnaissance.
DailyCVE Form:
Platform: got.scraping
Version: < vulnerable versions >
Vulnerability: SSRF via redirect
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploit:
- Set up a malicious server (e.g., Caddy/Nginx) with:
location /bypass { if ($request_method = HEAD) { return 200; } if ($request_method = GET) { return 302 http://127.0.0.1/admin; } } - Trick Summaly into fetching the URL (e.g., `https://attacker.com/bypass`).
Detection:
Check for vulnerable versions: npm list got.scraping | grep "vulnerable.version"
Mitigation:
- Patch by enforcing IP validation on all HTTP responses (HEAD/GET):
const validateIP = (url, response) => { const ip = dns.resolve(response.redirectUrl); if (isPrivateIP(ip)) throw Error("Blocked internal IP"); };
2. Network-level:
Block outbound HTTP to private IPs via iptables: iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
References:
Impact Metrics:
- CVSS:3.1/9.1 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
- Exploitability: Low complexity, no auth required.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
