Server-side Request Forgery (SSRF) Affecting nocodb package, versions *


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.3% (22nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-NOCODB-17821596
  • published6 Jul 2026
  • disclosed17 Jun 2026
  • creditp-

Introduced: 17 Jun 2026

NewCVE-2026-53931  (opens in a new tab)
CWE-441  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

nocodb is a NocoDB

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the spreadsheet import URL check in UtilsService._axiosRequestMake in packages/nocodb/src/services/utils.service.ts. An attacker can make the server fetch an arbitrary URL by submitting a spreadsheet-import request whose target URL passes the extension allowlist, such as a non-spreadsheet path with a query string ending in .csv. Because the allowlist was applied to the full URL string instead of the URL pathname, the endpoint accepted crafted URLs that were not actually spreadsheet files. This lets an attacker coerce the NocoDB process into issuing HTTP requests on their behalf, including requests to internal services reachable from the host.

Notes

  • The vulnerable endpoint was reachable without any auth gate in the advisory’s reported deployment, so any unauthenticated caller who could hit the import API could trigger the server-side fetch.
  • The bypass depended on the URL being accepted as a spreadsheet by extension alone; URLs with a non-spreadsheet path but a query string like ?.csv satisfied the check.

CVSS Base Scores

version 4.0
version 3.1