RSSHub vulnerable to SSRF in /mastodon, /zjoi, and /m4
Description
RSSHub before commit a429472 contains multiple SSRF vulnerabilities allowing an attacker to use the server as a proxy to probe internal networks and cause DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RSSHub before commit a429472 contains multiple SSRF vulnerabilities allowing an attacker to use the server as a proxy to probe internal networks and cause DoS.
Vulnerability
Overview
RSSHub, an open-source RSS feed generator, is vulnerable to Server-Side Request Forgery (SSRF) in several routes, including /mastodon, /zjoi, and /m4. Prior to commit a429472, the application did not adequately validate user-supplied hostnames or URLs, allowing remote attackers to force the server to send HTTP GET requests to arbitrary destinations [1][2]. The root cause lies in the absence of input validation in the relevant route handlers. For example, in the /m4 route, the code directly constructs a URL from user-provided parameters without checking the hostname, as seen in the vulnerable source file [4]. Similarly, the Mastodon route relied on user-supplied domain names without sufficient restrictions [2][3].
Exploitation
Prerequisites
An attacker can exploit these vulnerabilities without authentication. The only requirement is network access to an RSSHub instance. By crafting a malicious request to one of the vulnerable endpoints, the attacker can cause the server to issue GET requests to arbitrary internal or external hosts. The attacker can specify targets such as internal IP addresses, ports, or URLs to large files. Chaining multiple SSRF requests in a single attacker request is also possible, amplifying the impact [1].
Impact
Successful exploitation allows an attacker to: - Leak the server's internal IP address, which may be hidden behind a CDN. - Probe internal network services to discover accessible hosts and ports. - Retrieve partial content from internal web services (e.g., HTML titles and meta descriptions). - Conduct Denial-of-Service (DoS) attacks by forcing the server to download large files or by chaining multiple requests, consuming server resources [1][2].
Mitigation
The vulnerability is patched in commit a429472, which introduced host validation using isValidHost in the /m4 route and tightened the allowed site list for Mastodon [3]. Users should upgrade to the patched version immediately. No workaround is documented other than applying the fix.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rsshubnpm | < 1.0.0-master.a429472 | 1.0.0-master.a429472 |
Affected products
2Patches
1a42947231104Merge pull request from GHSA-3p3p-cgj7-vgw3
3 files changed · +8 −7
lib/routes/m4/index.ts+4 −0 modified@@ -4,6 +4,7 @@ const __dirname = getCurrentPath(import.meta.url); import cache from '@/utils/cache'; import got from '@/utils/got'; +import { isValidHost } from '@/utils/valid-host'; import { load } from 'cheerio'; import timezone from '@/utils/timezone'; import { parseDate } from '@/utils/parse-date'; @@ -12,6 +13,9 @@ import * as path from 'node:path'; export default async (ctx) => { const { id = 'news', category = 'china' } = ctx.req.param(); + if (!isValidHost(id)) { + throw new Error('Invalid id'); + } const limit = ctx.req.query('limit') ? Number.parseInt(ctx.req.query('limit'), 10) : 30; const rootUrl = `http://${id}.m4.cn`;
lib/routes/mastodon/acct.ts+0 −6 modified@@ -1,14 +1,8 @@ const utils = require('./utils'); -import { config } from '@/config'; export default async (ctx) => { const acct = ctx.req.param('acct'); const only_media = ctx.req.param('only_media') ? 'true' : 'false'; - const acctSite = acct.split('@').filter(Boolean)[1]; - - if (!config.feature.allow_user_supply_unsafe_domain && !utils.allowSiteList.includes(acctSite)) { - throw new Error(`This RSS is disabled unless 'ALLOW_USER_SUPPLY_UNSAFE_DOMAIN' is set to 'true'.`); - } const { site, account_id } = await utils.getAccountIdByAcct(acct);
lib/routes/mastodon/utils.ts+4 −1 modified@@ -4,7 +4,7 @@ import got from '@/utils/got'; import { parseDate } from '@/utils/parse-date'; import { config } from '@/config'; -const allowSiteList = ['mastodon.social', 'pawoo.net', config.mastodon.apiHost]; +const allowSiteList = ['mastodon.social', 'pawoo.net', config.mastodon.apiHost].filter(Boolean); const apiHeaders = (site) => { const { accessToken, apiHost } = config.mastodon; @@ -96,6 +96,9 @@ async function getAccountIdByAcct(acct) { if (!(site && acctDomain)) { throw new Error('Mastodon RSS is disabled due to the lack of <a href="https://docs.rsshub.app/en/install/#configuration-route-specific-configurations">relevant config</a>'); } + if (!config.feature.allow_user_supply_unsafe_domain && !allowSiteList.includes(site)) { + throw new Error(`RSS for this domain is disabled unless 'ALLOW_USER_SUPPLY_UNSAFE_DOMAIN' is set to 'true' or 'MASTODON_API_HOST' is set.`); + } const search_url = `https://${site}/api/v2/search`; const cacheUid = `mastodon_acct_id/${site}/${acct}`;
Vulnerability mechanics
Root cause
"Missing validation of user-supplied domain/host parameters before using them to construct outbound HTTP requests, enabling Server-Side Request Forgery (SSRF)."
Attack vector
An attacker sends a crafted HTTP GET request to the RSSHub server with a malicious `acct` parameter (e.g., `user@internal-service.local`) or `id` parameter (e.g., `192.168.1.1`). The server then makes an HTTP GET request to the attacker-controlled destination, allowing the attacker to probe internal network services, retrieve partial responses (titles, meta descriptions), or cause the server to download large files for DoS amplification. No authentication is required, and the attack can be chained to amplify impact [CWE-918].
Affected code
The vulnerability exists in `lib/routes/mastodon/acct.ts` and `lib/routes/mastodon/utils.ts` (Mastodon account route) and `lib/routes/m4/index.ts` (M4 route). In the Mastodon route, the domain extracted from the user-supplied `acct` parameter was not validated before being used to construct an outbound HTTP request. In the M4 route, the `id` parameter was used directly to build a URL (`http://${id}.m4.cn`) without host validation.
What the fix does
The patch addresses the SSRF in two ways. In `lib/routes/m4/index.ts`, a call to `isValidHost(id)` is added before constructing the URL, rejecting invalid hostnames early [patch_id=1708674]. In `lib/routes/mastodon/utils.ts`, the domain allowlist check (`!allowSiteList.includes(site)`) is moved from `acct.ts` into the shared `getAccountIdByAcct` function, ensuring the validation always runs regardless of which caller invokes the utility. The `allowSiteList` array is also filtered with `.filter(Boolean)` to remove any falsy entries, preventing accidental bypasses [patch_id=1708674].
Preconditions
- configThe RSSHub server must be running a version prior to a429472 with the vulnerable routes enabled.
- authNo authentication is required; the attacker only needs network access to the RSSHub server.
- networkThe attacker must be able to send HTTP GET requests to the RSSHub server.
- inputThe attacker supplies a malicious `acct` or `id` parameter in the request path.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-3p3p-cgj7-vgw3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27927ghsaADVISORY
- github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.jsghsax_refsource_MISCWEB
- github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.jsghsax_refsource_MISCWEB
- github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.jsghsax_refsource_MISCWEB
- github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.jsghsax_refsource_MISCWEB
- github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069ghsax_refsource_MISCWEB
- github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.