<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CloudTAK &lt;= 13.7.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/cloudtak--13.7.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 21:36:31 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/cloudtak--13.7.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Authenticated Full-Read SSRF in CloudTAK /api/esri* Routes</title><link>https://feed.craftedsignal.io/briefs/2026-07-cloudtak-ssrf/</link><pubDate>Fri, 17 Jul 2026 21:36:31 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cloudtak-ssrf/</guid><description>An authenticated Server-Side Request Forgery (SSRF) vulnerability exists in CloudTAK's `/api/esri*` routes, allowing any authenticated user to compel the server to make arbitrary outbound HTTP requests to internal network resources, enabling attackers to access sensitive cloud instance metadata, enumerate internal services, and exfiltrate data by reflecting the response bodies.</description><content:encoded><![CDATA[<p>A critical authenticated Server-Side Request Forgery (SSRF) vulnerability (GHSA-r95q-fp26-h3hc) has been identified in CloudTAK versions up to and including 13.7.0. The vulnerability resides within the <code>/api/esri*</code> family of routes, which process user-controlled URLs without proper IP/DNS classification. This oversight allows any authenticated user to force the CloudTAK server to initiate arbitrary HTTP requests to internal network resources, such as cloud instance metadata services (e.g., AWS IMDSv1 at <code>169.254.169.254</code>) or loopback admin ports (<code>127.0.0.1:&lt;port&gt;</code>). Unlike blind SSRF, this is a full-read vulnerability, reflecting the upstream response body or error message directly back to the attacker. The issue stems from an incomplete security hardening effort, where an existing <code>isSafeUrl</code> guard was implemented in other parts of the application but neglected for the <code>/api/esri*</code> routes, which continue to use an unguarded <code>fetch</code> function from <code>@tak-ps/etl</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker (any valid user token) sends an HTTP POST request to <code>/api/esri</code> with a malicious <code>url</code> parameter in the body, or an HTTP GET request to <code>/api/esri/*</code> with malicious <code>portal</code>, <code>server</code>, or <code>layer</code> query parameters.</li>
<li>The CloudTAK application receives the request, which contains a crafted URL targeting an internal resource, such as <code>http://169.254.169.254/latest/meta-data/iam/security-credentials/arcgis/rest</code>.</li>
<li>The application's <code>EsriBase.sniff()</code> function performs a path validation, checking for <code>/rest</code>, <code>/arcgis/rest</code>, or <code>/sharing/rest</code> within the URL's pathname, which the crafted URL satisfies.</li>
<li>Crucially, no host or IP address validation is performed, allowing internal IP addresses (e.g., <code>169.254.169.254</code>, <code>127.0.0.1</code>) to pass the check.</li>
<li>The CloudTAK server, using the unguarded <code>fetch</code> function from <code>@tak-ps/etl</code>, makes an outbound HTTP request to the attacker-controlled internal address.</li>
<li>The targeted internal service (e.g., AWS IMDSv1, a local admin port, or other VPC-internal services) responds to the CloudTAK server's request.</li>
<li>The CloudTAK application captures the full response body or error message from the internal service.</li>
<li>The application reflects this sensitive internal information, including potential cloud credentials or internal service configurations, back to the attacker.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This full-read Server-Side Request Forgery (CWE-918) carries significant risk. Successful exploitation can lead to cloud credential theft, specifically temporary AWS credentials from IMDSv1 services (<code>169.254.169.254</code>), which attackers can then use to access and control cloud resources. Attackers can also perform extensive internal network enumeration, probing any host and port reachable from the CloudTAK server, including loopback admin ports and VPC-internal services. The ability to read full JSON responses allows for data exfiltration of sensitive information from these internal systems. While the vulnerability requires authentication, it does not necessitate administrative privileges, making any authenticated user a potential vector for attack.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect CloudTAK SSRF Attempt via GET /api/esri/*&quot; to your SIEM to identify suspicious exploitation attempts.</li>
<li>Monitor web server logs for HTTP GET requests to <code>/api/esri/*</code> routes containing internal IP addresses (e.g., 127.0.0.1, 169.254.169.254) or <code>localhost</code> within the <code>portal</code>, <code>server</code>, or <code>layer</code> query parameters.</li>
<li>Patch CloudTAK instances to a version that remediates GHSA-r95q-fp26-h3hc immediately.</li>
<li>Implement robust egress filtering on network firewalls and security groups to prevent CloudTAK servers from making outbound connections to internal-only IP ranges (e.g., <code>169.254.169.254</code>, <code>127.0.0.1</code>, RFC1918 addresses) unless absolutely essential and explicitly allowlisted.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>web-vulnerability</category><category>credential-access</category><category>network-discovery</category><category>cloud-security</category></item></channel></rss>