GHSA-gprh-27j3-g5h4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gprh-27j3-g5h4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-gprh-27j3-g5h4/GHSA-gprh-27j3-g5h4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gprh-27j3-g5h4
- Aliases
-
- CVE-2026-53927
- Published
- 2026-06-17T14:06:43Z
- Modified
- 2026-06-17T14:15:07.733429453Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
- Details
-
Summary
The spreadsheet-fetch endpoint (
axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted127.0.0.0/8and169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL.Details
The extension matcher is now anchored to the end of the path or immediately before the query string (
/\.(xls|xlsx|xlsm|ods|ots)(\?|$)/iand/\.(csv)(\?|$)/i), sohttp://169.254.169.254/credentials/.xlsxno longer satisfies the format gate. The hand-rolled IP blocklist is removed in favour ofuseAgent(url)fromrequest-filtering-agent, which blocks private and loopback ranges at the socket layer.Impact
Authenticated users with editor permission could read cloud metadata and other internal HTTP endpoints reachable from the NocoDB process. On affected installs the spreadsheet import path was a credential-exfiltration primitive on cloud hosts.
Credit
This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @l3tchupkt.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-06-17T14:06:43Z" }- References
Affected packages
npm / nocodb
Package
- Name
- nocodb
- View open source insights on deps.dev
- Purl
- pkg:npm/nocodb