Miggo Logo

CVE-2021-23718:
Server-Side Request Forgery in ssrf-agent

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.57089%
Published
12/2/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ssrf-agentnpm< 1.0.51.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the defaultIpChecker function in index.js as shown in the GitHub commit diff. The original code only checked isV4Format() before validating if an IP was private, leaving IPv6 addresses unvalidated. The patched version added isV6Format() checking to prevent bypasses via IPv6 addresses. Multiple sources including the CVE description, Snyk advisory, and commit message explicitly reference this function as the vulnerable component that failed to properly validate private IP addresses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** ssr*-***nt ***or* *.*.* *r* vuln*r**l* to S*rv*r-si** R*qu*st *or**ry (SSR*) vi* t** ****ultIp****k*r *un*tion. It **ils to prop*rly v*li**t* i* t** IP r*qu*st** is priv*t*.

Reasoning

T** vuln*r**ility st*ms *rom t** `****ultIp****k*r` *un*tion in `in**x.js` *s s*own in t** *it*u* *ommit *i**. T** ori*in*l *o** only ****k** `isV**orm*t()` ***or* v*li**tin* i* *n IP w*s priv*t*, l**vin* IPv* ***r*ss*s unv*li**t**. T** p*t**** v*rsi