{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/open-apis/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@haxtheweb/open-apis"],"_cs_severities":["high"],"_cs_tags":["ssrf","credential-theft","open-apis"],"_cs_type":"advisory","_cs_vendors":["haxtheweb"],"content_html":"\u003cp\u003eThe open-apis package by haxtheweb contains a vulnerability related to insufficient hostname validation. Specifically, the functions in \u003ccode\u003ecacheAddress.js\u003c/code\u003e, \u003ccode\u003eJOSHelpers.js\u003c/code\u003e, and \u003ccode\u003eelmslnToSite.js\u003c/code\u003e use substring matching to validate hostnames when deciding whether to send basic authorization headers. This flawed logic allows attackers to craft API calls that include a valid substring, but redirect the request to an attacker-controlled domain, effectively capturing the credentials intended for the legitimate domains. This vulnerability affects versions of \u003ccode\u003e@haxtheweb/open-apis\u003c/code\u003e prior to 26.0.0 and poses a risk of internal data and credential exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable endpoint using \u003ccode\u003ecacheAddress.js\u003c/code\u003e, \u003ccode\u003eJOSHelpers.js\u003c/code\u003e, or \u003ccode\u003eelmslnToSite.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API call to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eThe API call includes a substring that matches a hard-coded, legitimate site name.\u003c/li\u003e\n\u003cli\u003eThe attacker appends the matched substring to an attacker-controlled domain within the API call.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function performs a server-side request to the attacker-controlled domain.\u003c/li\u003e\n\u003cli\u003eThe request includes authentication credentials intended for the legitimate domain.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the transmitted authentication credentials from their controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access unreleased LMS content on other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for the exfiltration of sensitive internal data, including authentication credentials. The captured credentials can grant unauthorized access to other systems, including unreleased LMS content. The vulnerability affects all users of \u003ccode\u003e@haxtheweb/open-apis\u003c/code\u003e versions prior to 26.0.0, with the impact being the potential compromise of internal systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@haxtheweb/open-apis\u003c/code\u003e package to version 26.0.0 or later to patch the vulnerability as described in \u003ca href=\"https://github.com/advisories/GHSA-4fg7-f244-3j49\"\u003eGHSA-4fg7-f244-3j49\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SSRF via Substring Matching in open-apis\u0026rdquo; to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and audit internal APIs that handle sensitive credentials to ensure proper hostname validation is implemented to prevent similar SSRF attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:46:48Z","date_published":"2026-05-19T14:46:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ssrf-in-open-apis/","summary":"Multiple functions in open-apis conduct substring-only matching to validate hostnames, allowing an attacker to perform Server-Side Request Forgery (SSRF) and capture authentication credentials by redirecting requests to an attacker-controlled endpoint.","title":"HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis","url":"https://feed.craftedsignal.io/briefs/2026-05-ssrf-in-open-apis/"}],"language":"en","title":"CraftedSignal Threat Feed — Open-Apis","version":"https://jsonfeed.org/version/1.1"}