CVE-2022-29188: Smokescreen SSRF via deny list bypass (square brackets)
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.46313%
CWE
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/stripe/smokescreen | go | < 0.0.4 | 0.0.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper hostname normalization when checking deny lists. The commit diff shows critical changes in hostname handling:
- In BuildProxy, switching from req.Host to req.URL.Hostname() for remoteHost determination
- In handleConnect, changing from pctx.Req.Host to pctx.Req.URL.Hostname() for security checks These functions were vulnerable because req.Host preserves square brackets around hostnames, while URL.Hostname() properly strips them. The original implementation allowed attackers to bypass deny lists by wrapping domains in square brackets, as the deny list matching would see '[example.com]' instead of 'example.com'.