Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio
Description
WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WireMock proxy mode domain restrictions can be bypassed via DNS rebinding due to a race condition between validation and outbound request.
Vulnerability
Overview
WireMock's proxy mode includes a network restrictions configuration that can be used to block proxying or recording from specific target addresses. When restrictions are configured using domain names, the validation logic is susceptible to DNS rebinding attacks. The root cause is a race condition where a DNS server can change the resolved IP address between the initial validation check and the actual outbound network request, allowing requests to reach domains that were intended to be prohibited [1], [2], [4].
Exploitation
Conditions
Successful exploitation requires control over a DNS service to perform a rebinding attack, which makes the attack complexity high. The attacker must be able to influence DNS resolution in a way that the domain resolves to a prohibited address after validation passes. This attack does not require authentication to WireMock itself, but network access to the WireMock server is necessary [2], [4].
Impact
An attacker who controls DNS can bypass the domain-based network restrictions configured in WireMock's proxy mode, potentially enabling proxying to or recording from unintended destinations. This could allow unauthorized access to internal or external services that WireMock is configured to block, depending on the organization's security policies [2], [4].
Mitigation and
Patches
The issue has been fixed in WireMock 2.35.1, WireMock 3.0.3, the Python version 2.6.1, and corresponding Docker images (2.35.1-1 and 3.0.3-1). Users unable to upgrade can either configure firewall rules to restrict permitted destinations or configure WireMock to use IP addresses instead of domain names for restrictions [1], [2], [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wiremock:wiremock-standaloneMaven | < 3.0.3 | 3.0.3 |
org.wiremock:wiremockMaven | < 3.0.3 | 3.0.3 |
com.github.tomakehurst:wiremock-jre8Maven | < 2.35.1 | 2.35.1 |
com.github.tomakehurst:wiremock-jre8-standaloneMaven | < 2.35.1 | 2.35.1 |
wiremockPyPI | < 2.6.1 | 2.6.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-pmxq-pj47-j8j4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41329ghsaADVISORY
- github.com/wiremock/wiremock/security/advisories/GHSA-pmxq-pj47-j8j4ghsax_refsource_CONFIRMWEB
- wiremock.org/docs/configuration/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.