CVE-2024-1063
Description
Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Appwrite <= v1.4.13 suffers from an unauthenticated SSRF via the /v1/avatars/favicon endpoint due to incomplete fix of CVE-2023-27159.
Vulnerability
Appwrite versions up to and including v1.4.13 are vulnerable to a Server-Side Request Forgery (SSRF) attack via the /v1/avatars/favicon endpoint. This vulnerability is a bypass of an incomplete fix for CVE-2023-27159 [1]. An attacker can exploit this to make the server send requests to arbitrary internal or external hosts.
Exploitation
An unauthenticated attacker with network access to the Appwrite instance can send a crafted request to the /v1/avatars/favicon endpoint, specifying a target URL. The server will then initiate a request to that URL, allowing the attacker to probe internal services, read response data, or perform further attacks [1].
Impact
Successful exploitation allows the attacker to perform SSRF, enabling reconnaissance of internal network services, potential information disclosure, and possibly leveraging the server's trust to access restricted resources [1].
Mitigation
Upgrade to Appwrite version 1.5.0 or later, which contains the fix for this vulnerability [1]. No workaround has been publicly disclosed.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.4.13
- Appwrite/Appwritev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.