dssrf SSRF Protection Bypass via IPv6 Addresses

The dssrf npm package, designed to prevent Server-Side Request Forgery (SSRF) attacks, contains a flaw that permits attackers to bypass its protections. This bypass is achieved by supplying specific IPv6 addresses that the is_url_safe function fails to properly validate. The dssrf documentation incorrectly states that IPv6 is disabled entirely, leading to a false sense of security. The vulnerability affects versions prior to 1.3.0. This allows attackers to potentially access internal network resources or conduct other malicious activities by crafting requests that appear safe but are ultimately routed to unintended destinations. This issue was reported responsibly, and users are urged to update to version 1.3.0 immediately.

Attack Chain

1. An attacker identifies a web application utilizing a vulnerable version of the dssrf npm package for URL safety checks.
2. The attacker crafts a malicious URL containing an IPv6 address designed to bypass the is_url_safe function, such as http://[::1]/ (IPv6 loopback) or http://[::ffff:169.254.169.254]/ (IPv4-mapped IMDS).
3. The web application, relying on the flawed dssrf.is_url_safe function, incorrectly identifies the malicious URL as safe.
4. The web application then uses the “safe” URL to make an HTTP request using standard libraries like node-fetch.
5. Due to the bypassed SSRF protection, the request is sent to the attacker-specified IPv6 address, potentially targeting internal resources or services.
6. The internal service processes the attacker’s request, potentially exposing sensitive data or allowing unauthorized actions.
7. The attacker receives the response from the internal service, successfully exfiltrating data or manipulating internal systems.

Impact

Successful exploitation of this vulnerability allows attackers to bypass SSRF protections, potentially granting access to internal network resources, sensitive data, or unintended services. The number of affected applications is currently unknown, but any application using a vulnerable version of dssrf (< 1.3.0) is susceptible. This could lead to data breaches, unauthorized access to cloud metadata services, or other internal service exploitation. The vulnerable package has had over 10,000 weekly downloads, demonstrating widespread use and potential impact.

Recommendation

• Upgrade the dssrf npm package to version 1.3.0 or later to remediate the vulnerability as advised in the advisory (https://github.com/advisories/GHSA-8p33-q827-ghj5).
• Implement additional server-side input validation to filter URLs containing potentially malicious IPv6 addresses, complementing the dssrf package.
• Deploy the Sigma rule provided below to identify attempts to bypass SSRF protections by using IPv6 addresses in URLs (see Sigma rule below).