B-Hermes

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.35.4 **Description** The `buildMatcherRegex()` and `matches()` functions in `packages/backend-core/src/middleware/matchers.ts` compile route patterns into unanchored regular expressions and test them against `ctx.request.url`, which includes the full query string. The CSRF middleware uses this system to determine if CSRF token validation should be skipped. An unauthenticated attacker can bypass CSRF token validation for any Worker API endpoint by injecting a public route pattern into the query string. This allows the execution of state-changing cross-origin requests, such as modifying global configuration, managing users, and sending admin invites. **Recommendations** Update to version 3.35.4.

**Name of the Vulnerable Software and Affected Versions** Portainer Community Edition versions 2.33.0 through 2.33.7 Portainer Community Edition versions 2.39.0 through 2.39.1 Portainer Community Edition versions prior to 2.41.0 **Description** Portainer supports deploying stacks from Git repositories. When a Git-backed stack is created or updated, the software clones the repository using `go-git` v5, which translates Git blob entries with mode `0o120000` (symlink) into real OS symlinks on the host filesystem via `os.Symlink`. Except for `.gitmodules`, all other paths are created as symlinks without validation. The `GET /api/stacks/{id}/file` endpoint reads the stack entry point using `os.ReadFile`, which follows OS symlinks transparently. If a repository contains `docker-compose.yml` as a symlink to an arbitrary filesystem path, the contents of that target are returned in the HTTP response. Any authenticated user with rights to create or update a Git-backed stack can read arbitrary files accessible to the Portainer process, which typically runs as root. This can lead to the exposure of `/etc/shadow`, Kubernetes service account tokens, Docker secrets, and the Portainer database. The issue can be exploited via Git-stack auto-update, where a legitimate repository is later updated with a malicious symlink that is triggered during the next scheduled update cycle. **Recommendations** Update Portainer Community Edition to version 2.33.8. Update Portainer Community Edition to version 2.39.2. Update Portainer Community Edition to version 2.41.0. Disable the Allow non-admin users to manage their stacks setting in environment settings to restrict Git-backed stack creation to administrators. Avoid deploying Git-backed stacks from untrusted or unreviewed repositories. Disable auto-update on existing stacks to prevent deferred exploitation. Audit project paths under `/data/compose/` for unexpected symlink entries using `find /data/compose -type l`.

**Name of the Vulnerable Software and Affected Versions** nuxt-og-image versions 6.2.5 through 6.4.8 @nuxtjs/og-image versions 6.2.5 through 6.4.8 **Description** An issue exists in the `isBlockedUrl()` function where the denylist used to prevent Server-Side Request Forgery (SSRF) is incomplete. This allows attackers to bypass security checks in two ways. First, the IPv6 prefix list is insufficient, failing to block several ranges including IPv6-mapped IPv4 loopback addresses (e.g., `[::ffff:7f00:1]`), site-local addresses (`[fec0::/10]`), SRv6 SIDs (`[5f00::/16]`), IPv6 documentation v2 (`[3fff::/20]`), and NAT64 local-use addresses (`[64:ff9b:1::/48]`). Second, the software lacks redirect re-validation; the `isBlockedUrl()` check is only performed on the initial request, but the subsequent `$fetch()` operation follows HTTP 3xx redirects without validating the destination. This enables an attacker to use an allowed origin that redirects to an internal IP address to complete an SSRF attack. The vulnerability is triggered when user-influenced URLs are used within OG image components in production builds. **Recommendations** Update nuxt-og-image and @nuxtjs/og-image to version 6.4.9. As a temporary workaround, restrict user-influenced input in OG image components to prevent the use of arbitrary URLs.

**Name of the Vulnerable Software and Affected Versions** Twenty versions prior to 1.18.1 **Description** An issue in the `SecureHttpClientService` of twenty-server allows the bypass of Server-Side Request Forgery (SSRF) protections. This occurs because the Node.js URL parser normalizes IPv4-mapped IPv6 addresses into a compressed hex form, while the `isPrivateIp` utility only recognizes dotted-decimal notation. Consequently, the hex form bypasses the SSRF check. Furthermore, the socket lookup validation event is not triggered for IP literal addresses, bypassing the second layer of validation. An authenticated user can exploit this to access internal IPs, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys. **Recommendations** Update to a version later than 1.18.0.

**Name of the Vulnerable Software and Affected Versions** Wallos versions prior to 4.7.0 **Description** Wallos is a self-hostable, open-source personal subscription tracker. An authenticated user can potentially access internal network services, cloud metadata endpoints like AWS IMDSv1, GCP, and Azure IMDS, or services bound to localhost. This is possible by providing a manipulated URL to the AI Ollama host parameter, the AI recommendations endpoint, or the notification cron job. The patch introduced in commit e8a513591 added Server-Side Request Forgery (SSRF) protection to notification test endpoints but did not cover these additional attack surfaces. **Recommendations** Update to version 4.7.0 or later.