NocoDB: Server-Side Request Forgery via Database Connection Host
Description
Summary
The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver.
Details
A new validateDbConnectionHost helper resolves hostnames through DNS, parses each address with ipaddr.js, normalises IPv4-mapped IPv6, and rejects addresses in the private, loopback, link-local, unique-local, reserved, unspecified, broadcast, and carrier-grade-NAT ranges. 0.0.0.0, ::, and the literal localhost are special-cased. The check runs before the existing SSL block in the connection-test controller and gates the driver invocation.
Impact
Authenticated users with connection-test permission could probe internal services (Redis, the cloud metadata endpoint, internal databases) reachable from the NocoDB process. A DNS rebinding attacker could still race the resolve-vs-connect window.
Credit
This issue was reported by @helwor-01.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The connection-test endpoint opened a raw TCP socket to a user-supplied database host without proper validation of the destination address."
Attack vector
An authenticated user with connection-test permission can exploit this vulnerability. By providing a specially crafted database host, they can probe internal services reachable from the NocoDB process. This includes services like Redis, cloud metadata endpoints, and other internal databases. A DNS rebinding attack could also potentially exploit the window between address resolution and connection establishment [ref_id=1].
Affected code
The vulnerability resides in the connection-test endpoint, specifically within the controller logic that handles database connection testing. The fix involves the addition of a new helper function, `validateDbConnectionHost`, which is called before the driver is invoked to validate the destination host.
What the fix does
The patch introduces a new helper function, `validateDbConnectionHost`, which resolves hostnames via DNS and then parses the resulting addresses using `ipaddr.js`. This function normalizes IPv4-mapped IPv6 addresses and explicitly rejects a wide range of restricted IP address types, including private, loopback, link-local, and others. The check is performed before the existing SSL block in the connection-test controller, effectively gating the driver invocation and preventing connections to unintended or private network destinations [ref_id=1].
Preconditions
- authThe attacker must be authenticated and possess connection-test permission.
- inputThe attacker must supply a user-controlled database host to the connection-test endpoint.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- Nocodb: 14 Vulnerabilities Disclosed Together, Including XSS and SQL InjectionVypr Intelligence · Jun 5, 2026