GHSA-rw8p-c6hf-q3pg

Suggest an improvement
Source
https://github.com/advisories/GHSA-rw8p-c6hf-q3pg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rw8p-c6hf-q3pg/GHSA-rw8p-c6hf-q3pg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rw8p-c6hf-q3pg
Aliases
Published
2026-03-06T18:40:58Z
Modified
2026-03-23T04:55:58.925812213Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
PinchTab has SSRF with Full Response Exfiltration via Download Handler
Details

SSRF with Full Response Exfiltration via Download Handler

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.

Details

The GET /download?url=<url> handler in download.go accepts a user-controlled url parameter and passes it directly to chromedp.Navigate(dlURL) without any validation or sanitization.

// internal/handlers/download.go:78
if err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {
    return fmt.Errorf("navigate to %s: %w", dlURL, err)
}

Since the request is performed by the headless Chrome browser instance managed by PinchTab, it can access: 1. Local Files: Using the file:// scheme (e.g., file:///etc/passwd). 2. Internal Services: Accessing services bound to localhost or internal network IPs that are not reachable from the outside. 3. Cloud Metadata: Accessing cloud provider metadata endpoints (e.g., 169.254.169.254).

The server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.

PoC

To reproduce the vulnerability, ensure the PinchTab server is running and accessible.

  1. Local File Read: Execute the following curl command to read /etc/passwd:

    curl -X GET "http://localhost:9867/download?url=file:///etc/passwd"

  2. Internal Service Access: If a service is running on localhost:8080, access it via:

    curl -X GET "http://localhost:9867/download?url=http://localhost:8080/internal-admin"

The response will contain the content of the targeted file or service.

PoC video:

https://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f

Impact

This is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": "2026-03-07T16:15:56Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed_at": "2026-03-06T18:40:58Z",
    "severity": "HIGH"
}
References

Affected packages

Go / github.com/pinchtab/pinchtab/cmd/pinchtab

Package

Name
github.com/pinchtab/pinchtab/cmd/pinchtab
View open source insights on deps.dev
Purl
pkg:golang/github.com/pinchtab/pinchtab/cmd/pinchtab

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.7.7

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-rw8p-c6hf-q3pg/GHSA-rw8p-c6hf-q3pg.json"
last_known_affected_version_range 
"<= 0.7.6"