Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS12OHdqLWY1YzctcHZ4Zs4ABIaB

Moderate EPSS: 0.00059% (0.18399 Percentile) EPSS:
Permalink JSON

Strapi allows Server-Side Request Forgery in Webhook function

Affected Packages Affected Versions Fixed Versions
npm:@strapi/admin
PURL: pkg:npm/%40strapi%2Fadmin
< 4.25.2 4.25.2
24 Dependent packages
2,836 Dependent repositories
567,083 Downloads last month

Affected Version Ranges

All affected versions

4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.2.0, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.1, 4.10.2, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.10.8, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.11.7, 4.12.0, 4.12.1, 4.12.2, 4.12.4, 4.12.5, 4.12.6, 4.12.7, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.13.4, 4.13.5, 4.13.6, 4.13.7, 4.14.0, 4.14.1, 4.14.2, 4.14.3, 4.14.4, 4.14.5, 4.14.6, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.15.4, 4.15.5, 4.16.0, 4.16.1, 4.16.2, 4.17.0, 4.17.1, 4.18.0, 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.20.2, 4.20.3, 4.20.4, 4.20.5, 4.21.0, 4.21.1, 4.22.0, 4.22.1, 4.23.0, 4.23.1, 4.23.2, 4.24.0, 4.24.1, 4.24.2, 4.24.3, 4.24.4, 4.24.5, 4.25.0, 4.25.1

All unaffected versions

4.25.2, 4.25.3, 4.25.4, 4.25.5, 4.25.6, 4.25.7, 4.25.8, 4.25.9, 4.25.10, 4.25.11, 4.25.12, 4.25.13, 4.25.14, 4.25.15, 4.25.16, 4.25.17, 4.25.18, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.5.1

Description

In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,.... in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).

Payloads

  • http://127.0.0.1:80 -> The Port is not open
  • http://127.0.0.1:1337 -> The Port which Strapi is running on

Steps to Reproduce

  • First of all, let's input the URL http://127.0.0.1:80 into the URL field, and click "Save".

CleanShot 2024-06-04 at 22 45 17@2x

  • Next, use the "Trigger" function and use Burp Suite to capture the request / response

CleanShot 2024-06-04 at 22 47 50@2x

  • The server return request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80, BECAUSE the Port 80 is not open, since we are running Strapi on Port 1337, let's change the URL we input above into http://127.0.0.1:1337

CleanShot 2024-06-04 at 22 50 13@2x

  • Continue to click the "Trigger" function, use Burp to capture the request / response

CleanShot 2024-06-04 at 22 53 25@2x

  • The server returns Method Not Allowed, which means that there actually is a Port 1337 running the machine.

PoC

Here is the Poc Video, please check:

https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing

Impact

  • If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.
References:

Identifiers

GHSA-v8wj-f5c7-pvxf

CVE-2024-52588

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00059

EPSS Percentile: 0.18399

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/strapi/strapi

Date and time

Published

3 months ago

Updated

3 months ago

API

JSON