CVE-2022-32175: AdGuardHome vulnerable to Cross-Site Request Forgery
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.1558%
CWE
Published
10/11/2022
Updated
10/10/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/AdguardTeam/AdGuardHome | go | >= 0.95, < 0.108.0-b.16 | 0.108.0-b.16 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the handleFilteringSetRules
function accepting text/plain content without proper CSRF protections. The pre-patch implementation directly read plain text rules from the request body (io.ReadAll
) and split them, making it vulnerable to CSRF attacks via malicious links. The fix introduced JSON validation (filteringRulesReq
struct) and Content-Type checks (via WriteTextPlainDeprecated
), indicating the original text/plain processing was the vulnerability source. The function's direct connection to custom filtering rules modification and the security patch's focus on this endpoint confirm its role in the vulnerability.