High severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026
TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist
CVE-2026-27818
Description
TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the proxyableDomains configuration. Version 4.0.3 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
terriajs-servernpm | < 4.0.3 | 4.0.3 |
Affected products
1- Range: < 4.0.3
Patches
13aaa5d971716fix(proxy): allow only exact domain or subdomains to be considered valid host
1 file changed · +2 −2
lib/controllers/proxy.js+2 −2 modified@@ -94,9 +94,9 @@ module.exports = function (options) { host = host.toLowerCase(); //check that host is from one of these domains for (var i = 0; i < proxyDomains.length; i++) { + const domainLower = proxyDomains[i].toLowerCase(); if ( - host.indexOf(proxyDomains[i], host.length - proxyDomains[i].length) !== - -1 + host === domainLower || host.endsWith("." + domainLower) ) { return true; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-w789-49fc-v8hrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27818ghsaADVISORY
- github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe7d8673c913fghsax_refsource_MISCWEB
- github.com/TerriaJS/terriajs-server/releases/tag/4.0.3ghsaWEB
- github.com/TerriaJS/terriajs-server/security/advisories/GHSA-w789-49fc-v8hrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.