activepieces File URL file.ts handleUrlFile server-side request forgery
Description
A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the component File URL Handler. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=0.83.0+ 1 more
- (no CPE)range: <=0.83.0
- (no CPE)range: <=0.83.0
Patches
Vulnerability mechanics
Root cause
"The `handleUrlFile` function in `file.ts` uses raw `fetch(path)` without applying the engine's SSRF guard, allowing server-side request forgery."
Attack vector
An attacker with the ability to supply a FILE property URL value (e.g., through a workflow input or AI/tool-generated data) can set the URL to a loopback, private network, or cloud metadata endpoint. The `handleUrlFile` function in `file.ts` passes this URL directly to the global `fetch(path)` without applying the engine's SSRF guard. This allows the engine to reach localhost, RFC1918 addresses, link-local addresses, and cloud metadata services, and the returned bytes may become an `ApFile` that flows into subsequent actions, AI prompts, logs, or outbound integrations [ref_id=1].
What the fix does
The advisory recommends routing FILE URL downloads through the same SSRF-safe client/guard used by the engine network layer, rejecting unsafe schemes and private/link-local/loopback targets, revalidating redirects, and enforcing time/size limits [ref_id=1]. No patch has been published by the vendor; the advisory is the sole remediation guidance available.
Preconditions
- inputAbility to supply a FILE property URL value (e.g., via workflow input or AI/tool-generated data)
- networkNetwork access to the Activepieces engine worker
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/dxz0069/softwareoverflow/blob/main/activepieces_file_property_url_ssrf_vulndb.mdmitreexploit
- vuldb.com/cve/CVE-2026-12813mitrethird-party-advisory
- vuldb.com/submit/837553mitrethird-party-advisory
- vuldb.com/vuln/372607mitrevdb-entrytechnical-description
- vuldb.com/vuln/372607/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.