| Title | Deco deco-apps 0.114.12 - 0.120.1 Server-Side Request Forgery |
|---|
| Description | A Server-Side Request Forgery (SSRF) vulnerability exists in the analyticsScript.ts loader. The url parameter is not properly validated, allowing attackers to force the server to fetch arbitrary URLs, including file:// URIs. This enables Local File Disclosure (e.g., /etc/passwd, /etc/hosts, /proc/self/environ). With crafted payloads, attackers could also reach internal services (e.g., cloud metadata endpoints).
Impact:
Attacker is able to reach `file:///etc/hosts`, `file:///etc/passwd` and `file:///proc/self/environ` which leaks the entire environment variables.
PoC:
curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: 127.0.0.1' \
$'http://127.0.0.1/live/invoke/website/loaders/analyticsScript.ts?url=file:///etc/passwd'
Mitigation / Fix:
Apply the patch in commit https://github.com/deco-cx/apps/commit/8675c0b3d75a778198afdf6f35730eafd114ccd8 which validates and sanitizes the url parameter and restricts allowed schemes/hosts.
Fix version: 0.120.2 - latest
Fixed commit: https://github.com/deco-cx/apps/commit/8675c0b3d75a778198afdf6f35730eafd114ccd8 |
|---|
| User | Anonymous User |
|---|
| Submission | 11/09/2025 15:15 (7 months ago) |
|---|
| Moderation | 11/30/2025 14:54 (21 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 333807 [deco-cx apps up to 0.120.1 Parameter analyticsScript.ts AnalyticsScript url server-side request forgery] |
|---|
| Points | 17 |
|---|