| Título | DbGate DbGate Premium 7.1.4 Server-Side Request Forgery |
|---|
| Descrição | Summary
DbGate contains an SSRF issue in its REST/GraphQL connection drivers. An authenticated user can make the DbGate server send HTTP requests to arbitrary URLs, including internal-only services reachable from the server network.
Details
The issue is caused by user-controlled URLs being used directly in server-side axios requests:
- packages/rest/src/openApiDriver.ts#L5: apiServerUrl1 is fetched with axios.get(...)
- packages/rest/src/graphQlDriver.ts#L11: apiServerUrl1 is passed into GraphQL introspection
- packages/rest/src/graphqlIntrospection.ts#L463: introspection uses axios.post(url, ...)
- packages/rest/src/restApiExecutor.ts#L184: REST execution builds a URL from user input and sends it with axios(...)
There is no filtering for localhost, private IP ranges, or internal hostnames.
PoC
I reproduced this with DbGate Premium in Docker plus an internal-only canary HTTP container.
1. Run DbGate Premium and a second container named canary on the same Docker network.
2. Do not expose the canary port to the host.
3. Configure canary to serve /openapi.json.
4. In DbGate Premium, create a new OpenAPI - REST connection.
5. Set API Definition URL to:
- http://canary:8080/openapi.json
6. Click Test connection.
Observed result:
- the canary container receives GET /openapi.json
This proves DbGate made a server-side request to an internal-only hostname that is not directly reachable from the browser.
Impact
This is an authenticated SSRF vulnerability in DbGate Premium.
An authenticated user can use the server as an HTTP client to access internal services, localhost-only endpoints, Docker/Kubernetes service names, or cloud metadata endpoints reachable from the server network.
|
|---|
| Utilizador | ngocnn97 (UID 96701) |
|---|
| Submissão | 23/03/2026 02h34 (há 1 mês) |
|---|
| Moderação | 13/04/2026 15h18 (21 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 357134 [DbGate até 7.1.4 REST/GraphQL openApiDriver.ts apiServerUrl1 Elevação de Privilégios] |
|---|
| Pontos | 17 |
|---|