{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/magicmirror--2.35.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["magicmirror (\u003c= 2.35.0)"],"_cs_severities":["critical"],"_cs_tags":["ssrf","magicmirror","cve-2026-42281"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eMagicMirror² version 2.35.0 and earlier is vulnerable to an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the \u003ccode\u003e/cors\u003c/code\u003e endpoint. This flaw enables remote attackers to manipulate the MagicMirror² server into initiating arbitrary HTTP requests to internal networks, cloud metadata services (AWS, GCP, Azure), and localhost services. The vulnerability is located in the \u003ccode\u003ejs/server_functions.js\u003c/code\u003e file, specifically within the \u003ccode\u003ecors()\u003c/code\u003e function. Attackers can exploit this by sending a crafted GET request to the \u003ccode\u003e/cors\u003c/code\u003e endpoint with a malicious URL. The server expands environment variable placeholders within the URL before making the request, allowing exfiltration of sensitive information. This vulnerability poses a significant risk to cloud deployments and internal networks, potentially leading to full compromise of cloud instance credentials and access to internal resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a MagicMirror² instance exposed on a network (default port 8080).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a GET request to the \u003ccode\u003e/cors\u003c/code\u003e endpoint with a target URL pointing to a cloud metadata service (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe MagicMirror² server receives the request and, without authentication or validation, processes the URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereplaceSecretPlaceholder()\u003c/code\u003e function expands any environment variable placeholders (e.g., \u003ccode\u003e**SECRET_API_KEY**\u003c/code\u003e) in the URL.\u003c/li\u003e\n\u003cli\u003eThe server uses the \u003ccode\u003efetch()\u003c/code\u003e function to make an HTTP request to the target URL.\u003c/li\u003e\n\u003cli\u003eThe cloud metadata service (or internal service) responds to the MagicMirror² server.\u003c/li\u003e\n\u003cli\u003eThe MagicMirror² server forwards the full response, including sensitive data like IAM role credentials or internal service responses, back to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains sensitive information, potentially leading to full cloud instance compromise, internal network access, or secret exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can have severe consequences. Cloud deployments (AWS/GCP/Azure) are at risk of full compromise due to access to instance metadata, including IAM role credentials. This can allow attackers to move laterally within the cloud account. Internal networks become accessible to the attacker through the compromised MagicMirror² server, allowing for scanning and interaction with internal services. Sensitive information such as API keys, database credentials, and other configuration data stored as environment variables can be exfiltrated. This impacts anyone running MagicMirror² exposed to an untrusted network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MagicMirror CORS Endpoint SSRF Attempt\u003c/code\u003e to identify potential exploitation attempts by monitoring for requests to the \u003ccode\u003e/cors\u003c/code\u003e endpoint with URLs targeting metadata services or internal IPs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MagicMirror Environment Variable Exfiltration\u003c/code\u003e to detect requests to the \u003ccode\u003e/cors\u003c/code\u003e endpoint attempting to exfiltrate environment variables.\u003c/li\u003e\n\u003cli\u003eBlock access to the following IOC at the network level to prevent initial reconnaissance: \u003ccode\u003e169.254.169.254\u003c/code\u003e (AWS IMDSv1 metadata service).\u003c/li\u003e\n\u003cli\u003eUpgrade MagicMirror² to a version higher than 2.35.0 to patch CVE-2026-42281.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-magicmirror-ssrf/","summary":"An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in MagicMirror² allows remote attackers to force the server to perform arbitrary HTTP requests, exfiltrate environment variables, and potentially compromise cloud instances or internal networks.","title":"MagicMirror² Unauthenticated SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-09-magicmirror-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Magicmirror (\u003c= 2.35.0)","version":"https://jsonfeed.org/version/1.1"}