GHSA-hmcr-rmjq-47qr

Suggest an improvement
Source
https://github.com/advisories/GHSA-hmcr-rmjq-47qr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hmcr-rmjq-47qr/GHSA-hmcr-rmjq-47qr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hmcr-rmjq-47qr
Aliases
  • CVE-2026-53931
Published
2026-06-17T14:08:26Z
Modified
2026-06-17T14:15:07.764673866Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Details

Summary

The spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv (for example https://example.com/robots.txt?.csv) satisfied the gate even though the underlying request was for robots.txt.

Details

Three layers of protection now apply to the endpoint:

  • The controller is decorated with @UseGuards(DataApiLimiterGuard, GlobalGuard) and @Acl('fetchViaUrl'), so unauthenticated callers and callers without the editor role are rejected before the request body is processed.
  • The extension allowlist is tested against url.pathname only. Callers can no longer satisfy the regex by appending a .csv suffix to the query string.
  • The downstream axios call is wired to useAgent(url) from request-filtering-agent, which blocks RFC 1918, loopback, link-local, and other private destinations at the socket layer.

Impact

Unauthenticated callers could previously coerce the NocoDB process to issue HTTP requests on their behalf, including to internal services reachable from the host. With the auth gate in place and the pathname-anchored extension check combined with socket-layer destination filtering, the endpoint is no longer usable as a generic proxy and can no longer reach private ranges.

Credit

This issue was reported by the GitHub Security Lab (@p-, @m-y-mo).

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-441",
        "CWE-918"
    ],
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-06-17T14:08:26Z"
}
References

Affected packages

npm / nocodb

Package

Name
nocodb
View open source insights on deps.dev
Purl
pkg:npm/nocodb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.301.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hmcr-rmjq-47qr/GHSA-hmcr-rmjq-47qr.json"