Miggo Logo
Miggo Vulnerability Database
CVE-2024-27927

CVE-2024-27927:
RSSHub vulnerable to Server-Side Request Forgery

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-27927
GHSA ID
GHSA-3p3p-cgj7-vgw3
EPSS Score
0.71138%
CWE
CWE-918
Published
3/6/2024
Updated
3/21/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
rsshubnpm< 1.0.0-master.a4294721.0.0-master.a429472

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from three key functions:

  1. In /m4 route: User-controlled 'id' was directly interpolated into the domain (${id}.m4.cn) without validation, as shown in pre-patch code.
  2. In mastodon utils: getAccountIdByAcct allowed user-supplied domains via acct parameter to construct API endpoints without proper allowlist checks when MASTODON_API_HOST wasn't configured.
  3. In /zjol route: The 'id' parameter was used to build https://${id}.zjol.com.cn without validation. All three patterns enable SSRF by letting attackers control the target domain in HTTP requests. The patches (added isValidHost check for /m4, moved validation to utils for mastodon) confirm these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry S*rv*r*l S*rv*r-Si** R*qu*st *or**ry (SSR*) vuln*r**iliti*s in RSS*u* *llow r*mot* *tt**k*rs to us* t** s*rv*r *s * proxy to s*n* *TTP **T r*qu*sts to *r*itr*ry t*r**ts *n* r*tri*v* in*orm*tion in t** int*rn*l n*twork or *on*u*t **ni*l-o

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y *un*tions: *. In /m* rout*: Us*r-*ontroll** 'i*' w*s *ir**tly int*rpol*t** into t** *om*in (${i*}.m*.*n) wit*out v*li**tion, *s s*own in pr*-p*t** *o**. *. In m*sto*on utils: **t***ountI**y***t *llow** us*r-supp