<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Stoatchat &lt; 0.14.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/stoatchat--0.14.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 17:22:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/stoatchat--0.14.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-63088: stoatchat Server-Side Request Forgery (SSRF) via DNS Blocklist Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-63088-stoatchat-ssrf/</link><pubDate>Thu, 16 Jul 2026 17:22:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-63088-stoatchat-ssrf/</guid><description>An unauthenticated, network-accessible Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-63088, exists in stoatchat versions prior to 0.14.0, allowing attackers to bypass DNS-based IP blocklists by exploiting incomplete address validation, potentially leading to unauthorized access to internal network resources.</description><content:encoded><![CDATA[<p>CVE-2026-63088 describes a critical Server-Side Request Forgery (SSRF) vulnerability affecting stoatchat versions prior to 0.14.0. This flaw allows unauthenticated attackers with network access to the stoatchat instance to bypass the application's DNS-based IP blocklist. The vulnerability stems from incomplete address validation within the <code>url_is_blacklisted</code> function, which only inspects the first resolved IP address of a target URL. However, the underlying HTTP client proceeds to iterate through all cached IP addresses returned by the DNS resolution, including those that would typically be blocked. This enables an attacker to craft DNS responses that present a legitimate initial IP, followed by an internal or restricted IP, effectively turning the stoatchat server into a proxy for internal network access. This vulnerability carries a CVSS v3.1 Base Score of 8.6, indicating a high severity risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends a crafted network request to a vulnerable <code>stoatchat</code> instance (version &lt; 0.14.0).</li>
<li>The crafted request includes a URL pointing to a domain controlled by the attacker.</li>
<li>The <code>stoatchat</code> application, specifically the <code>url_is_blacklisted</code> function, resolves the attacker-controlled domain to check if its IP address is blocklisted.</li>
<li>The attacker's DNS server responds with multiple IP addresses for the domain, where the first IP is a benign, public address, but subsequent IPs point to internal or blacklisted resources within the victim's network.</li>
<li>The <code>url_is_blacklisted</code> function validates only the first resolved IP address, which passes the blocklist check, allowing the request to proceed.</li>
<li>The underlying HTTP client within <code>stoatchat</code> then attempts to connect to the provided URL, iterating through all cached IP addresses from the DNS resolution.</li>
<li>This iteration eventually leads the HTTP client to connect to an internal or blacklisted IP address, bypassing the intended security controls.</li>
<li>The <code>stoatchat</code> server effectively acts as a proxy, performing a Server-Side Request Forgery (SSRF) and allowing the attacker to access internal network resources or services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-63088 allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF). This can lead to unauthorized access to internal network resources and services that are otherwise protected from external reach. Attackers could potentially scan internal networks, access sensitive data from internal APIs or databases, interact with other vulnerable internal services, or even launch further attacks from within the compromised network segment. While the NVD description does not provide specific victim counts or sectors, the nature of SSRF vulnerabilities often means that any organization using the affected software could be at risk of internal network compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade all <code>stoatchat</code> instances to version 0.14.0 or later to patch CVE-2026-63088.</li>
<li>Implement egress filtering on network devices to restrict outbound connections from <code>stoatchat</code> servers, preventing access to internal IP ranges (e.g., RFC1918 addresses) or critical internal services.</li>
<li>Monitor network connection logs from <code>stoatchat</code> servers for unusual outbound connections, especially to internal IP addresses or non-standard ports that could indicate SSRF attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>ssrf</category><category>web-application</category></item></channel></rss>