CVE-2024-52598

Name of the Vulnerable Software and Affected Versions 2FAuth version 5.4.1 2FAuth versions prior to 5.4.1

Description 2FAuth is a web application used to manage Two-Factor Authentication (2FA) accounts and generate their security codes. It contains two interconnected vulnerabilities: a Server-Side Request Forgery (SSRF) issue and a URI validation bypass issue. The POST /api/v1/twofaccounts/preview endpoint allows setting a remote URI to retrieve the image of a 2FA site. An attacker can abuse this functionality to force the application to make a GET request to an arbitrary URL. The library attempts to filter out URIs without an image extension but can be bypassed by appending #.svg to the URI. This combination of issues enables an attacker to retrieve URIs accessible from the application if their content type is text-based.

Recommendations For 2FAuth version 5.4.1 and earlier, update to version 5.4.1 or later to fix the issues. As a temporary workaround, consider restricting access to the POST /api/v1/twofaccounts/preview endpoint until a patch is applied. Avoid using the POST /api/v1/twofaccounts/preview endpoint with untrusted input until the issue is resolved.