CVE-2026-53607— ApostropheCMS 服务端请求伪造漏洞

@apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw `Host` HTTP request header. That URL is then `fetch`'ed and the response body + headers are streamed straight back to the requester. Because `Host` is fully attacker-controlled, an unauthenticated remote attacker can pivot the apostrophe process to issue outbound HTTP requests against any host it can reach on the private network. The path component is constrained to `/uploads/attachments/<cuid>-<slug>.<ext>` (built from a local-DB lookup), which keeps the impact narrow: cross-instance data exfiltration is neutralized by cuid uniqueness, but blind-SSRF residuals remain (network-topology mapping via response-code / timing differences and verbose proxy/WAF 404 body disclosure). As of time of publication, no known patched versions exist.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

服务端请求伪造(SSRF)

ApostropheCMS 服务端请求伪造漏洞

apostrophecms是Apostrophecms公司开源的一个内容管理系统。 ApostropheCMS 4.30.0及之前版本存在安全漏洞，该漏洞源于当启用prettyUrls功能时，公开的pretty-URL处理器使用原始的Host HTTP请求标头构建上游URL，可能导致未经身份验证的远程攻击者利用此漏洞发起服务端请求伪造攻击。

N/A

N/A