{ "schema_version": "1.4.0", "id": "GHSA-3p3p-cgj7-vgw3", "modified": "2024-03-21T18:25:36Z", "published": "2024-03-06T17:03:11Z", "aliases": [ "CVE-2024-27927" ], "summary": "RSSHub vulnerable to Server-Side Request Forgery", "details": "### Summary\n\nServeral Server-Side Request Forgery (SSRF) vulnerabilities in RSSHub allow remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks.\n\n### Details\n\n#### `/mastodon/acct/:acct/statuses/:only_media?`\n\nhttps://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7\n\nhttps://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105\n\n#### `/zjol/paper/:id?`\n\nhttps://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13\n\n#### `/m4/:id?/:category*`\n\nhttps://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14\n\n### PoC\n\n- https://rsshub.app/mastodon/acct/test@a6wt15r2.requestrepo.com%23/statuses\n- https://rsshub.app/zjol/paper/a6wt15r2.requestrepo.com%23\n- https://rsshub.app/m4/a6wt15r2.requestrepo.com%23/test\n\n### Impact\n\nThe attacker can send malicious requests to a RSSHub server, to make the server send HTTP GET requests to arbitrary destinations and see partial responses. This may lead to:\n\n1. Leak the server IP address, which could be hidden behind a CDN.\n2. Retrieve information in the internal network. e.g. which addresses/ports are accessible, the titles and meta descriptions of HTML pages.\n3. DoS amplification. The attacker could request the server to download some large files, or chain several SSRF requests in a single attacker request: `https://rsshub.a.com/zjol/paper/rsshub.b.net%2Fzjol%2Fpaper%2Frsshub.a.com%252Fzjol%252Fpaper%252Frsshub.b.net%25252Fzjol%25252Fpaper%25252Frsshub.a.com%2525252Fzjol%2525252Fpaper%2525252Fexample.com%2525252523%25252523%252523%2523%23`.\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "rsshub" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.0-master.a429472" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27927" }, { "type": "WEB", "url": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069" }, { "type": "PACKAGE", "url": "https://github.com/DIYgod/RSSHub" }, { "type": "WEB", "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14" }, { "type": "WEB", "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13" }, { "type": "WEB", "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7" }, { "type": "WEB", "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105" } ], "database_specific": { "cwe_ids": [ "CWE-918" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-03-06T17:03:11Z", "nvd_published_at": "2024-03-21T02:52:21Z" } }