PT-2026-50477 · Npm · Nocodb
Published
2026-06-17
·
Updated
2026-06-17
·
CVE-2026-53931
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Summary
The spreadsheet-import endpoint
axiosRequestMake could be used as a generic
HTTP proxy. Before the fix it was reachable unauthenticated, and its
URL-extension allowlist was a regex tested against the full URL string, so
URLs whose query string ended in .csv (for example
https://example.com/robots.txt?.csv) satisfied the gate even though the
underlying request was for robots.txt.Details
Three layers of protection now apply to the endpoint:
- The controller is decorated with
@UseGuards(DataApiLimiterGuard, GlobalGuard)and@Acl('fetchViaUrl'), so unauthenticated callers and callers without the editor role are rejected before the request body is processed. - The extension allowlist is tested against
url.pathnameonly. Callers can no longer satisfy the regex by appending a.csvsuffix to the query string. - The downstream axios call is wired to
useAgent(url)fromrequest-filtering-agent, which blocks RFC 1918, loopback, link-local, and other private destinations at the socket layer.
Impact
Unauthenticated callers could previously coerce the NocoDB process to issue
HTTP requests on their behalf, including to internal services reachable from
the host. With the auth gate in place and the pathname-anchored extension
check combined with socket-layer destination filtering, the endpoint is no
longer usable as a generic proxy and can no longer reach private ranges.
Credit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nocodb