NocoDB, Blind Server-Side Request Forgery (SSRF), CVE Undisclosed (Moderate)

Listen to this Post

The vulnerability occurs in the `uploadViaURL` function when processing a user-supplied URL. Before downloading a file, the function uses `axios.head()` to send a HEAD request to the target URL to retrieve metadata like content-type and size. This initial HEAD request is executed without applying the project’s SSRF filtering controls. While the subsequent `axios.get()` request for the actual file content is properly protected by URL validation and allowlist checks, the unprotected HEAD request leaks first. This allows an attacker to trigger blind outbound HTTP HEAD requests to arbitrary internal or external systems. The impact is limited to blind probing as HEAD requests do not return response bodies, but it can reveal service reachability and interaction with internal endpoints sensitive to HEAD methods.
Platform: NocoDB
Version: Pre-patch
Vulnerability : Blind SSRF
Severity: Moderate
date: Undisclosed

Prediction: 2024-05-15

What Undercode Say:

curl -X POST 'http://localhost:8080/api/v2/storage/upload-by-url' \
-H 'Content-Type: application/json' \
-H 'xc-auth: <token>' \
-d '[{"url": "http://169.254.169.254/", "fileName": "test.txt"}]'
// Vulnerable code segment
if (!url.startsWith('data:')) {
response = await axios.head(url, { maxRedirects: 5 });
mimeType = response.headers['content-type']?.split(';')[bash];
size = response.headers['content-length'];
finalUrl = response.request.res.responseUrl;
}

How Exploit:

Send POST request

Controlled URL parameter

Triggers blind HEAD

Protection from this CVE

Apply SSRF filters

Before HEAD request

Validate all URLs

Impact:

Internal service probing

Blind outbound requests

Limited information disclosure

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top