CVE-2026-33975
Description
Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
12- [Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)SANS Internet Storm Center · May 15, 2026
- 73 Seconds to Breach, 24 Hours to Patch: The Case for Autonomous ValidationBleepingComputer · May 13, 2026
- European countries are exporting surveillance tech to countries with poor human rights records, report saysThe Record · May 12, 2026
- The State of Ransomware – Q1 2026Check Point Research · May 11, 2026
- How Dark Reading Lifted Off the Launchpad in 2006Dark Reading · May 4, 2026
- Yet another experiment proves it's too damn simple to poison large language modelsThe Register Security · Apr 29, 2026
- 20-Year-Old Malware Rewrites History of Cyber SabotageDark Reading · Apr 27, 2026
- Medieval Encrypted Letter DecodedSchneier on Security · Apr 27, 2026
- PhantomRPC: A new privilege escalation technique in Windows RPCSecurelist · Apr 24, 2026
- FakeWallet crypto stealer spreading through iOS apps in the App StoreSecurelist · Apr 20, 2026
- Virtual machines, virtually everywhere – and with real security gapsESET WeLiveSecurity · Mar 25, 2026
- Operation Alice Takes Down 370,000+ Dark Web SitesInfosecurity Magazine · Mar 23, 2026