{"url":"http://public2.vulnerablecode.io/api/packages/1024304?format=json","purl":"pkg:npm/%40nocobase/plugin-workflow-request@1.5.0-beta.4","type":"npm","namespace":"@nocobase","name":"plugin-workflow-request","version":"1.5.0-beta.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.37","latest_non_vulnerable_version":"2.0.37","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90307?format=json","vulnerability_id":"VCID-q25w-8a2z-63cc","summary":"NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins\n## Summary\n\nNocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost.\n\n## Vulnerable Code\n\n### 1. Workflow HTTP Request Plugin\n\n**`packages/plugins/@nocobase/plugin-workflow-request/src/server/RequestInstruction.ts` lines 117-128:**\n```typescript\nreturn axios.request({\n  url: trim(url),  // User-controlled, no validation\n  method,\n  headers,\n  params,\n  timeout,\n  ...(method.toLowerCase() !== 'get' && data != null\n    ? { data: transformer ? await transformer(data) : data }\n    : {}),\n});\n```\n\nThe `url` at line 98 comes directly from user workflow configuration with only whitespace trimming.\n\n### 2. Custom Request Action Plugin\n\n**`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:**\n```typescript\nconst axiosRequestConfig = {\n  baseURL: ctx.origin,\n  ...options,\n  url: getParsedValue(url, variables),  // User-controlled via template\n  headers: { ... },\n  params: getParsedValue(arrayToObject(params), variables),\n  data: getParsedValue(toJSON(data), variables),\n};\nconst res = await axios(axiosRequestConfig);  // No IP validation\n```\n\n## Missing Protections\n\n- No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase)\n- No private IP range filtering\n- No cloud metadata endpoint blocking\n- No URL scheme validation\n- No DNS rebinding protection\n\n## Attack Scenario\n\n1. Authenticated user creates a workflow with HTTP Request node\n2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`\n3. Triggers the workflow\n4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs\n\nAlternatively via Custom Request action:\n1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin`\n2. Execute the action\n3. Server makes request to internal service\n\n## Impact\n\n- **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints\n- **Internal network access**: Scan and interact with services on private IP ranges\n- **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.)\n- **Authentication required**: Yes (authenticated user), but any workspace member can create workflows","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40346","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03131","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03059","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03079","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03121","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40346"},{"reference_url":"https://github.com/nocobase/nocobase","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocobase/nocobase"},{"reference_url":"https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:37Z/"}],"url":"https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59"},{"reference_url":"https://github.com/nocobase/nocobase/pull/9079","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:37Z/"}],"url":"https://github.com/nocobase/nocobase/pull/9079"},{"reference_url":"https://github.com/nocobase/nocobase/releases/tag/v2.0.37","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:37Z/"}],"url":"https://github.com/nocobase/nocobase/releases/tag/v2.0.37"},{"reference_url":"https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:37Z/"}],"url":"https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40346","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40346"},{"reference_url":"https://github.com/advisories/GHSA-mvvv-v22x-xqwp","reference_id":"GHSA-mvvv-v22x-xqwp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mvvv-v22x-xqwp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111631?format=json","purl":"pkg:npm/%40nocobase/plugin-workflow-request@2.0.37","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/plugin-workflow-request@2.0.37"}],"aliases":["CVE-2026-40346","GHSA-mvvv-v22x-xqwp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q25w-8a2z-63cc"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/plugin-workflow-request@1.5.0-beta.4"}