{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/stoatchat--0.14.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-63088"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["stoatchat \u003c 0.14.0"],"_cs_severities":["high"],"_cs_tags":["vulnerability","ssrf","web-application"],"_cs_type":"advisory","_cs_vendors":["stoatchat"],"content_html":"\u003cp\u003eCVE-2026-63088 describes a critical Server-Side Request Forgery (SSRF) vulnerability affecting stoatchat versions prior to 0.14.0. This flaw allows unauthenticated attackers with network access to the stoatchat instance to bypass the application's DNS-based IP blocklist. The vulnerability stems from incomplete address validation within the \u003ccode\u003eurl_is_blacklisted\u003c/code\u003e function, which only inspects the first resolved IP address of a target URL. However, the underlying HTTP client proceeds to iterate through all cached IP addresses returned by the DNS resolution, including those that would typically be blocked. This enables an attacker to craft DNS responses that present a legitimate initial IP, followed by an internal or restricted IP, effectively turning the stoatchat server into a proxy for internal network access. This vulnerability carries a CVSS v3.1 Base Score of 8.6, indicating a high severity risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted network request to a vulnerable \u003ccode\u003estoatchat\u003c/code\u003e instance (version \u0026lt; 0.14.0).\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a URL pointing to a domain controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estoatchat\u003c/code\u003e application, specifically the \u003ccode\u003eurl_is_blacklisted\u003c/code\u003e function, resolves the attacker-controlled domain to check if its IP address is blocklisted.\u003c/li\u003e\n\u003cli\u003eThe attacker's DNS server responds with multiple IP addresses for the domain, where the first IP is a benign, public address, but subsequent IPs point to internal or blacklisted resources within the victim's network.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eurl_is_blacklisted\u003c/code\u003e function validates only the first resolved IP address, which passes the blocklist check, allowing the request to proceed.\u003c/li\u003e\n\u003cli\u003eThe underlying HTTP client within \u003ccode\u003estoatchat\u003c/code\u003e then attempts to connect to the provided URL, iterating through all cached IP addresses from the DNS resolution.\u003c/li\u003e\n\u003cli\u003eThis iteration eventually leads the HTTP client to connect to an internal or blacklisted IP address, bypassing the intended security controls.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estoatchat\u003c/code\u003e server effectively acts as a proxy, performing a Server-Side Request Forgery (SSRF) and allowing the attacker to access internal network resources or services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-63088 allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF). This can lead to unauthorized access to internal network resources and services that are otherwise protected from external reach. Attackers could potentially scan internal networks, access sensitive data from internal APIs or databases, interact with other vulnerable internal services, or even launch further attacks from within the compromised network segment. While the NVD description does not provide specific victim counts or sectors, the nature of SSRF vulnerabilities often means that any organization using the affected software could be at risk of internal network compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all \u003ccode\u003estoatchat\u003c/code\u003e instances to version 0.14.0 or later to patch CVE-2026-63088.\u003c/li\u003e\n\u003cli\u003eImplement egress filtering on network devices to restrict outbound connections from \u003ccode\u003estoatchat\u003c/code\u003e servers, preventing access to internal IP ranges (e.g., RFC1918 addresses) or critical internal services.\u003c/li\u003e\n\u003cli\u003eMonitor network connection logs from \u003ccode\u003estoatchat\u003c/code\u003e servers for unusual outbound connections, especially to internal IP addresses or non-standard ports that could indicate SSRF attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T17:22:17Z","date_published":"2026-07-16T17:22:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-63088-stoatchat-ssrf/","summary":"An unauthenticated, network-accessible Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-63088, exists in stoatchat versions prior to 0.14.0, allowing attackers to bypass DNS-based IP blocklists by exploiting incomplete address validation, potentially leading to unauthorized access to internal network resources.","title":"CVE-2026-63088: stoatchat Server-Side Request Forgery (SSRF) via DNS Blocklist Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-63088-stoatchat-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Stoatchat \u003c 0.14.0","version":"https://jsonfeed.org/version/1.1"}