CVE-2019-6257
Description
A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in get_remote_contents() in php/elFinder.class.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An SSRF vulnerability in elFinder before 2.1.46 allows a malicious user to access internal network resources via the `get_remote_contents()` function.
Vulnerability
A Server Side Request Forgery (SSRF) vulnerability exists in elFinder versions prior to 2.1.46. The flaw resides in the get_remote_contents() function in php/elFinder.class.php. The function fails to adequately validate the host portion of a URL, allowing an attacker to bypass basic checks (such as blocking the string 'localhost') and make requests to internal IP addresses and private network ranges [1][2][3].
Exploitation
An attacker with the ability to upload files via URL (or otherwise trigger a remote file retrieval) can provide a crafted URL pointing to an internal resource. No authentication is required if the elFinder instance is publicly accessible. The attacker does not need any special position beyond network access to the elFinder web interface [1][2]. The function's insufficient filtering of hostnames and IPs (e.g., IPv4 loopback, private network ranges, and link-local addresses) enables this exploitation [3].
Impact
Successful exploitation allows an attacker to read the content of internal network resources that are accessible from the server running elFinder. This leads to information disclosure of internal services, potentially exposing sensitive data such as internal application configurations, databases, or cloud metadata [1][2]. The attacker does not gain code execution directly, but the disclosed information can be used for further attacks.
Mitigation
Users should upgrade to elFinder version 2.1.46 or later, where the SSRF vulnerability has been fixed [1][2]. The commit 2f522db8f037a66ce9040ee0b216aa4a0359286c shows the explicit patch: it adds thorough checks for URL-encoded hosts, disallows 'localdomain' along with 'localhost', blocks IPv4 loopback addresses (127.0.0.0/8), private network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and link-local addresses (169.254.0.0/16) [3]. No workaround is provided for versions prior to 2.1.46, and upgrading is strongly recommended [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studio-42/elfinderPackagist | < 2.1.49 | 2.1.49 |
Affected products
2Patches
12f522db8f037[php:core:security] fix SSRF vulnerability of `get_remote_contents()`
1 file changed · +28 −6
php/elFinder.class.php+28 −6 modified@@ -2410,23 +2410,41 @@ protected function get_remote_contents(&$url, $timeout = 30, $redirect_max = 5, { if (preg_match('~^(?:ht|f)tps?://[-_.!\~*\'()a-z0-9;/?:\@&=+\$,%#\*\[\]]+~i', $url)) { $info = parse_url($url); - $host = strtolower($info['host']); + $host = trim(strtolower($info['host']), '.'); // do not support IPv6 address if (preg_match('/^\[.*\]$/', $host)) { return false; } - // do not support non dot URL + // do not support non dot host if (strpos($host, '.') === false) { return false; } - // disallow including "localhost" - if (strpos($host, 'localhost') !== false) { + // do not support URL-encoded host + if (strpos($host, '%') !== false) { return false; } - // check IPv4 local loopback - if (preg_match('/^(?:127|0177|0x7f)\.[0-9a-fx.]+$/', $host)) { + // disallow including "localhost" and "localdomain" + if (preg_match('/\b(?:localhost|localdomain)\b/', $host)) { return false; } + // check IPv4 local loopback, private network and link local + if (preg_match('/^0x[0-9a-f]+|[0-9]+(?:\.(?:0x[0-9a-f]+|[0-9]+)){1,3}$/', $host, $m)) { + $long = (int)sprintf('%u', ip2long($host)); + if (!$long) { + return false; + } + $local = (int)sprintf('%u', ip2long('127.255.255.255')) >> 24; + $prv1 = (int)sprintf('%u', ip2long('10.255.255.255')) >> 24; + $prv2 = (int)sprintf('%u', ip2long('172.31.255.255')) >> 20; + $prv3 = (int)sprintf('%u', ip2long('192.168.255.255')) >> 16; + $link = (int)sprintf('%u', ip2long('169.254.255.255')) >> 16; + + if ($long >> 24 === $local || $long >> 24 === $prv1 || $long >> 20 === $prv2 || $long >> 16 === $prv3 || $long >> 16 === $link) { + return false; + } + } + // dose not support 'user' and 'pass' for security reasons + $url = $info['scheme'].'://'.$host.(!empty($info['port'])? (':'.$info['port']) : '').$info['path'].(!empty($info['query'])? ('?'.$info['query']) : '').(!empty($info['fragment'])? ('#'.$info['fragment']) : ''); // check by URL upload filter if ($this->urlUploadFilter && is_callable($this->urlUploadFilter)) { if (!call_user_func_array($this->urlUploadFilter, array($url, $this))) { @@ -2551,6 +2569,10 @@ protected function fsock_get_contents(&$url, $timeout, $redirect_max, $ua, $outf sleep(1); // wait 1sec } + if (!$fp) { + return false; + } + $fwrite = 0; for ($written = 0; $written < strlen($query); $written += $fwrite) { $fwrite = fwrite($fp, substr($query, $written));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-3qhm-qfj3-4rrxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-6257ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-6257.yamlghsaWEB
- github.com/Studio-42/elFinder/blob/2.1.49/ChangelogghsaWEB
- github.com/Studio-42/elFinder/blob/68ec63c0aeca3963101aca8f842dc9f2e4c4c6d3/Changelogmitrex_refsource_MISC
- github.com/Studio-42/elFinder/commit/2f522db8f037a66ce9040ee0b216aa4a0359286cghsax_refsource_MISCWEB
- github.com/Studio-42/elFinder/releases/tag/2.1.49ghsaWEB
News mentions
0No linked articles in our index yet.