Miggo Logo
Miggo Vulnerability Database
CVE-2021-23664

CVE-2021-23664:
Server side request forgery in @isomorphic-git/cors-proxy

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23664
GHSA ID
GHSA-v82v-rq72-phq9
EPSS Score
0.50679%
CWE
CWE-918
Published
1/26/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@isomorphic-git/cors-proxynpm< 2.7.12.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues in middleware.js: 1) The fetch call followed redirects automatically (default behavior) by not setting 'redirect: manual', enabling SSRF through malicious 3xx responses. 2) Lack of Location header processing allowed internal redirect targets. The patch added both redirect:manual and Location header sanitization, confirming these were the vulnerable points. The middleware's request proxying function is the entry point for SSRF exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** @isomorp*i*-*it/*ors-proxy ***or* *.*.* is vuln*r**l* to S*rv*r-si** R*qu*st *or**ry (SSR*) *u* to missin* s*nitiz*tion *n* v*li**tion o* t** r**ir**tion **tion in mi**l*w*r*.js.

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s in `mi**l*w*r*.js`: *) T** **t** **ll *ollow** r**ir**ts *utom*ti**lly (****ult ****vior) *y not s*ttin* 'r**ir**t: m*nu*l', *n**lin* SSR* t*rou** m*li*ious *xx r*spons*s. *) L**k o* Lo**tion *****r pro**ss