CVE-2024-27927

Name of the Vulnerable Software and Affected Versions RSSHub versions prior to 1.0.0-master.a429472

Description The issue allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks. This may lead to leaking the server IP address, retrieving information in the internal network, such as accessible addresses and ports, and titles and meta descriptions of HTML pages, and denial of service amplification. The attacker can send malicious requests to a RSSHub server to make the server send HTTP GET requests to arbitrary destinations and see partial responses.

Recommendations For RSSHub versions prior to 1.0.0-master.a429472, update to version 1.0.0-master.a429472 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as /mastodon/acct/:acct/statuses/:only media?, /zjol/paper/:id?, and /m4/:id?/:category*, to minimize the risk of exploitation. Avoid using these endpoints until the issue is resolved.