SSRF Bypass in `ssrfcheck` - fails to classify reserved IP address space as invalid

ssrf-bypass-in-ssrfcheck.md

SSRF Bypass in ssrfcheck - fails to classify reserved IP address space as invalid

ssrfcheck is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs.

Resources:

• Project's GitHub code repository: https://github.com/felippe-regazio/ssrfcheck
• Project's npm package: https://www.npmjs.com/package/ssrfcheck

Vulnerability

The ssrfcheck package maintains a denylist of IP addresses and ranges to check against when validating if an IP address is to be considered as safe or not.

However, the IP address list used for the denylist is incomplete and misses a reserved IP address space as defined by the IANA (Internet Assigned Numbers Authority):

• 224.0.0.0/4 - Multicast

Practically, this reserved IP address space is used for multicast traffic and would most commonly be used for reserved local communication over network protocols such as UDP, which would make it less likely to be used in a typical SSRF attack in practice.

However, such reserved IP address space shouldn't be allowed and it would be responsible of the SSRF protection package to align and conform to an agreed-upon standard of special-purposed addresses that should not be considered a valid public IP address. For reference, the popular npm packages private-ip and ipaddr.js that are highly dependent-upon to make decisions about SSRF protection and both consider the above mentioned IP address space as reserved and is not considered a valid public IP address.

Exploit Proof of Concept

1. Install the ssrfcheck package:

npm install ssrfcheck

2. Define an app.js file with the programmatic API of ssrfcheck:

import { isSSRFSafeURL } from 'ssrfcheck';

let result
result = isSSRFSafeURL('https://012.1.2.3/whatever');
console.log(result);  // returns false
result = isSSRFSafeURL('https://localhost:8080/whatever');
console.log(result);  // returns false

result = isSSRFSafeURL('https://239.255.255.250:8080/whatever');
console.log(result);  // returns true - bypassed

Vulnerable versions

All versions of ssrfcheck are vulnerable to this issue, up to and including to the latest version of 1.1.1.

Author

Liran Tal

Hello @lirantal! Thank you for the report, very valuable for the package! I created an issue on the repository and will be working on a patch to solve this problem in the next few days - feel free to PR or comment on the issue: felippe-regazio/ssrfcheck#5.

Hi @felippe-regazio, sounds good! can you please enable private vulnerability reporting on the repo's settings? See here how to do it if you can't easily find: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability

Once you do it, I can post the report there and then you can publish it and request a CVE officially through GitHub which handles all of it.

Hello @lirantal, of course, I have enabled private vulnerability reporting. Also I addressed a fix which is already merged and published the version 1.2.0. You can do a new test with the version 1.2.0 or running:

npx ssrfcheck https://239.255.255.250:8080/whatever

I really appreciated your report, many thanks!

@felippe I am waiting for you to accept the report at GHSA-p4hc-9pjh-55c8 and then click "Publish" and then "Request CVE"