Skip to content
Threat Feed
high advisory

CVE-2026-63088: stoatchat Server-Side Request Forgery (SSRF) via DNS Blocklist Bypass

An unauthenticated, network-accessible Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-63088, exists in stoatchat versions prior to 0.14.0, allowing attackers to bypass DNS-based IP blocklists by exploiting incomplete address validation, potentially leading to unauthorized access to internal network resources.

CVE-2026-63088 describes a critical Server-Side Request Forgery (SSRF) vulnerability affecting stoatchat versions prior to 0.14.0. This flaw allows unauthenticated attackers with network access to the stoatchat instance to bypass the application's DNS-based IP blocklist. The vulnerability stems from incomplete address validation within the url_is_blacklisted function, which only inspects the first resolved IP address of a target URL. However, the underlying HTTP client proceeds to iterate through all cached IP addresses returned by the DNS resolution, including those that would typically be blocked. This enables an attacker to craft DNS responses that present a legitimate initial IP, followed by an internal or restricted IP, effectively turning the stoatchat server into a proxy for internal network access. This vulnerability carries a CVSS v3.1 Base Score of 8.6, indicating a high severity risk.

Attack Chain

  1. An unauthenticated attacker sends a crafted network request to a vulnerable stoatchat instance (version < 0.14.0).
  2. The crafted request includes a URL pointing to a domain controlled by the attacker.
  3. The stoatchat application, specifically the url_is_blacklisted function, resolves the attacker-controlled domain to check if its IP address is blocklisted.
  4. The attacker's DNS server responds with multiple IP addresses for the domain, where the first IP is a benign, public address, but subsequent IPs point to internal or blacklisted resources within the victim's network.
  5. The url_is_blacklisted function validates only the first resolved IP address, which passes the blocklist check, allowing the request to proceed.
  6. The underlying HTTP client within stoatchat then attempts to connect to the provided URL, iterating through all cached IP addresses from the DNS resolution.
  7. This iteration eventually leads the HTTP client to connect to an internal or blacklisted IP address, bypassing the intended security controls.
  8. The stoatchat server effectively acts as a proxy, performing a Server-Side Request Forgery (SSRF) and allowing the attacker to access internal network resources or services.

Impact

Successful exploitation of CVE-2026-63088 allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF). This can lead to unauthorized access to internal network resources and services that are otherwise protected from external reach. Attackers could potentially scan internal networks, access sensitive data from internal APIs or databases, interact with other vulnerable internal services, or even launch further attacks from within the compromised network segment. While the NVD description does not provide specific victim counts or sectors, the nature of SSRF vulnerabilities often means that any organization using the affected software could be at risk of internal network compromise.

Recommendation

  • Immediately upgrade all stoatchat instances to version 0.14.0 or later to patch CVE-2026-63088.
  • Implement egress filtering on network devices to restrict outbound connections from stoatchat servers, preventing access to internal IP ranges (e.g., RFC1918 addresses) or critical internal services.
  • Monitor network connection logs from stoatchat servers for unusual outbound connections, especially to internal IP addresses or non-standard ports that could indicate SSRF attempts.