Summary
Directus versions <=9.22.4 is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to /files/import). An attacker can bypass the security controls that were implemented to patch vulnerability CVE-2022-23080 by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan (eg. can access internal metadata API for AWS at http://169.254.169.254 event if 169.254.169.254 is in the deny IP list).
Details
DNS rebinding attacks work by running a DNS name server that resolves two different IP addresses when a domain is resolved simultaneously. This type of attack can be exploited to bypass the IP address deny list validation that was added to /api/src/services/file.ts for the function importOne to mitigate the previous SSRF vulnerability CVE-2022-23080. The validation in /api/src/services/file.ts first checks if the resolved IP address for a domain name does not a resolve to an IP address in the deny list:
let ip = resolvedUrl.hostname;
if (net.isIP(ip) === 0) {
try {
ip = (await lookupDNS(ip)).address;
} catch (err: any) {
logger.warn(err, `Couldn't lookup the DNS for url ${importURL}`);
throw new ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
service: 'external-file',
});
}
}
if (env.IMPORT_IP_DENY_LIST.includes('0.0.0.0')) {
const networkInterfaces = os.networkInterfaces();
for (const networkInfo of Object.values(networkInterfaces)) {
if (!networkInfo) continue;
for (const info of networkInfo) {
if (info.address === ip) {
logger.warn(`Requested URL ${importURL} resolves to localhost.`);
throw new ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
service: 'external-file',
});
}
}
}
}
if (env.IMPORT_IP_DENY_LIST.includes(ip)) {
logger.warn(`Requested URL ${importURL} resolves to a denied IP address.`);
throw new ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
service: 'external-file',
});
}
Once it validates that the resolved IP address is not in the deny list, then it uses axios to GET the url and saves the response content.
try {
fileResponse = await axios.get<Readable>(encodeURL(importURL), {
responseType: 'stream',
});
} catch (err: any) {
logger.warn(err, `Couldn't fetch file from url "${importURL}"`);
throw new ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
service: 'external-file',
});
}
However, this validation check and fetching the web resource causes to DNS queries that enable a DNS rebinding attack. On the first DNS query, an attacker controlled name server can be configured to resolve to an external IP address that is not in the deny list to bypass the validation. Then when axios is called, the name server resolves the domain name to a local IP address.
PoC
To demonstrate we will be using an online tool named rebinder. Rebinder randomly changes the IP address it resolves to depending on the subdomain. For an example, 7f000001.8efa468e.rbndr.us can resolve to either 142.250.70.142 (google.com) or 127.0.0.1. Sending multiple POST requests to /files/import using this domain will eventually cause a resolution to 142.250.70.142 first to bypass the validation then fetch the sensitive from an internal server when axios is called.
The following screenshots show what it looks like when a successful attack occurs.
Downloading a file named secret.txt from a webserver running from http://127.0.0.1/secret.txt
Receiving the request from the internal server. Note that the incoming connection is from 127.0.0.1.
After downloading the file it leaks the content of the secret file.
Impact
An attacker can exploit this vulnerability to access highly sensitive internal server and steal sensitive information. An example is on Cloud Environments that utilise internal APIs for managing machine and privileges. For an example, if directus is hosted on AWS EC2 instance and has an IAM role assigned to the EC2 instance then an attacker can exploit this vulnerability to steal the AWS access keys to impersonate the EC2 instance using the AWS API.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2023-26492 has a CVSS score of 5.0 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (9.23.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2023-26492? CVE-2023-26492 is a medium-severity server-side request forgery (SSRF) vulnerability in directus (npm), affecting versions < 9.23.0. It is fixed in 9.23.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
- How severe is CVE-2023-26492? CVE-2023-26492 has a CVSS score of 5.0 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of directus are affected by CVE-2023-26492? directus (npm) versions < 9.23.0 is affected.
- Is there a fix for CVE-2023-26492? Yes. CVE-2023-26492 is fixed in 9.23.0. Upgrade to this version or later.
- Is CVE-2023-26492 exploitable, and should I be worried? Whether CVE-2023-26492 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2023-26492 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2023-26492? Upgrade
directusto 9.23.0 or later.