CVE-2021-22255
Description
SSRF in URL file upload in Baserow <1.1.0 allows remote authenticated users to retrieve files from the internal server network exposed over HTTP by inserting an internal address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SSRF in Baserow URL file upload allows authenticated users to read internal services
Vulnerability
Baserow versions prior to 1.1.0 contain a server-side request forgery (SSRF) vulnerability in the URL file upload feature. An authenticated user can provide an internal network URL (e.g., http://localhost:8000/test.txt) in the file upload field, and the server will fetch and store the response as a file. The vulnerable component is the file upload endpoint that processes user-supplied URLs without verifying whether the target is a private IP address. Affected versions are all Baserow releases before 1.1.0 [1][2].
Exploitation
An attacker must be a remote authenticated user of Baserow with permission to upload files via URL. The attacker crafts a request to the file upload feature, supplying a URL pointing to an internal HTTP service (e.g., http://192.168.1.5/internal-document). No further privileges or user interaction is required beyond the authenticated session. The server then makes an HTTP request to the supplied URL and saves the response content as a stored file accessible within the Baserow instance [2].
Impact
Successful exploitation allows the attacker to retrieve files or data from internal HTTP servers that are accessible from the Baserow server. This can include sensitive configuration files, internal application data, or other secrets exposed over HTTP within the private network. The attacker gains read access to internal services, potentially leading to further lateral movement or information disclosure. The compromise is limited to HTTP-accessible endpoints on the internal network [2].
Mitigation
The vulnerability is fixed in Baserow version 1.1.0, released March 2021 [1]. The fix resolves the IP address of the provided URL and rejects requests to private IP addresses (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16). Users should upgrade to Baserow 1.1.0 or later. No workarounds are documented; restricting authenticated user access to the file upload feature may reduce risk but is not a complete mitigation. The CVE is not listed in CISA KEV as of the publication date [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Baserow B.V./Baserowv5Range: >0.6.0, <1.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- baserow.io/blog/march-2021-release-of-baserowmitrex_refsource_MISC
- gitlab.com/bramw/baserow/-/issues/370mitrex_refsource_MISC
- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22255.jsonmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.