NukeViet Server-Side Request Forgery via X-Forwarded-Host (CVE-2026-55372)
An unauthenticated attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in NukeViet by spoofing the X-Forwarded-Host and X-Forwarded-Proto HTTP headers, allowing the server to make a cURL request to an attacker-controlled host without validation for internal host/port discovery and cache poisoning. The vulnerability affects NukeViet versions prior to 4.6.00.
A pre-authentication Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-55372, exists in NukeViet versions prior to 4.6.00. This flaw allows an unauthenticated attacker to manipulate the X-Forwarded-Host and X-Forwarded-Proto HTTP headers, coercing the NukeViet server into initiating outbound cURL requests to an attacker-specified internal or external host. The vulnerability resides within the server_info_update() function in includes/ini.php, where attacker-controlled header values are used without proper validation to construct a URL. Exploitation is triggered by a POST request to index.php containing the __serverInfoUpdate=1 parameter, which is processed early in the application lifecycle before authentication. Although the SSRF is blind and uses a fixed request path, it can be abused for internal network reconnaissance (host and port discovery) and potentially to poison the site's cached server_headers.
Attack Chain
- An unauthenticated attacker crafts a
POSTrequest targetingindex.phpon the vulnerable NukeViet instance. - The attacker includes the
__serverInfoUpdate=1field in thePOSTbody and manipulates theX-Forwarded-HostandX-Forwarded-ProtoHTTP headers with an attacker-controlled host (e.g.,127.0.0.1:8080/). - The
includes/ini.phpfile processes the__serverInfoUpdate=1trigger very early, before any authentication takes place. - The
NukeViet\Core\Servercomponent, specificallystandardizeHost(), parses theX-Forwarded-HostandX-Forwarded-Protoheaders, failing to properly validate or normalize the input. The specific bypass involves appending a slash to the host:port (e.g.,127.0.0.1:8080/), preventing stripping of the port. - The
server_info_update()function then concatenates the attacker-controlled protocol and host values directly into a URL string. - A cURL request is initiated by the NukeViet server to the constructed URL (e.g.,
http://attacker-controlled-host:port/index.php?response_headers_detect=1). - The NukeViet server performs an outbound network connection to the attacker-controlled host, allowing for out-of-band detection by the attacker.
- The attacker can then use connection success/timing to perform internal host/port discovery or attempt to poison cached
server_headerswith the target's response.
Impact
This SSRF vulnerability, while not allowing direct data exfiltration or cloud credential theft due to its blind, HEAD-only, and fixed-path nature, still poses significant risks. Attackers can leverage it for unauthenticated internal network reconnaissance, allowing them to map internal hosts and open ports within an organization's infrastructure. Furthermore, the vulnerability enables the poisoning of the site's server_headers cache, which could potentially lead to further, unspecified malicious activity if these headers are used to influence site behavior or user interactions. The CVSS v3.1 score is 7.2 (High), reflecting the network-exploitable, low-complexity nature without requiring user interaction.
Recommendation
- Patch NukeViet installations to version 4.6.00 or later to remediate CVE-2026-55372, which includes robust validation and normalization of forwarded headers.
- Configure reverse proxies or web servers (e.g., Apache, Nginx) to strip or override client-supplied
X-Forwarded-Host,X-Forwarded-Proto, andX-Forwarded-Portheaders. - Ensure the
my_domainsconfiguration in NukeViet is set up with the site's canonical domain(s) to enable defense-in-depth checks. - Monitor your web server access logs for
POSTrequests to/index.phpcontaining the__serverInfoUpdate=1parameter as this indicates attempted exploitation of CVE-2026-55372. - Monitor network connection logs from your web server processes (e.g.,
php-fpm,apache2,nginx) for unusual outbound HTTP/HTTPS connections to external or internal IP addresses that are not part of legitimate application traffic.