CVE-2023-27159

Vulnerability

CVE-2023-27159 is a Server-Side Request Forgery (SSRF) vulnerability in Appwrite versions up to and including v1.2.1. The flaw resides in the /v1/avatars/favicon API endpoint, which does not properly validate URLs supplied by the user. An attacker can craft a GET request to this endpoint with a malicious url parameter, causing the server to make outbound HTTP requests to arbitrary destinations of the attacker's choosing [1][3].

Exploitation

The vulnerability is exploitable without authentication, as the affected endpoint is publicly accessible in the default configuration. No special privileges or prior access are required; any remote attacker can send a crafted request to the Appwrite instance. The SSRF is triggered directly by the url parameter, which the server processes to fetch a favicon but fails to restrict internal or private IP ranges [3][4].

Impact

A successful SSRF attack enables an attacker to access network resources that are not directly exposed to the internet, such as internal services, cloud metadata endpoints (e.g., AWS 169.254.169.254), or other sensitive information reachable from the Appwrite server. The impact includes unauthorized data disclosure, potential enumeration of internal infrastructure, and in some scenarios, further exploitation of internal systems [1][3].

Mitigation

As of the publication date (March 2023), the vulnerability affects Appwrite versions ≤1.2.1. Users should upgrade to a patched version beyond v1.2.1 once available. No official workaround is documented, but restricting network egress from the Appwrite server and implementing input validation on the url parameter can reduce risk. The CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.