In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learningUpgrade signalk-server to version 2.28.0 or higher.
signalk-server is an An implementation of a Signal K server for boats.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the makeRemoteRequest function. An attacker can access internal network resources, cloud metadata services, and arbitrary external hosts by supplying crafted parameters to administrative endpoints without authentication. This allows exfiltration of sensitive data, internal network scanning, and interaction with internal APIs. The attacker can also bypass TLS certificate verification by setting the selfsignedcert parameter, and exploit path traversal in the checkAccessRequest endpoint to target arbitrary paths on the destination host. This is only exploitable if the server is running with default security settings and no admin user is configured.