CVE-2026-53607
Description
ApostropheCMS <=4.30.0 allows unauthenticated blind SSRF when prettyUrls is enabled, because the Host header is used to construct a fetch URL without validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ApostropheCMS <=4.30.0 allows unauthenticated blind SSRF when prettyUrls is enabled, because the Host header is used to construct a fetch URL without validation.
Vulnerability
An unauthenticated blind server-side request forgery (SSRF) exists in ApostropheCMS versions up to and including 4.30.0 when the prettyUrls: true option is enabled on the @apostrophecms/file module. The public pretty-URL handler constructs an upstream URL using the raw Host HTTP request header proxyUrl = ${req.protocol}://${req.get('host')}${uglyUrl}`, then fetches that URL and streams the response back to the requester. The path component is constrained to /uploads/attachments/-.` (derived from a local database lookup), limiting the attack surface. The feature is described in the documentation as an SEO improvement for serving uploaded files [1].
Exploitation
An attacker with no authentication or network access beyond the ability to send HTTP requests to the targeted ApostropheCMS instance can exploit this by setting the Host header to an arbitrary internal or external hostname. The constrained path reduces the impact to response-code and timing side channels, as well as verbose proxy/WAF 404 body disclosure [1].
Impact
Successful exploitation yields a blind SSRF, allowing the attacker to map internal network topology, infer services from response codes or timing differences, and potentially obtain verbose error pages from internal proxies or WAFs. Cross-instance data exfiltration is neutralized by cuid uniqueness — an attacker cannot predict a valid attachment path on another instance [1].
Mitigation
As of the publication date, no patched version is available. Users should disable prettyUrls: true on @apostrophecms/file if possible, or restrict access to the vulnerable endpoint (e.g., via a reverse proxy) to trusted networks only [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.30.0+ 1 more
- (no CPE)range: <=4.30.0
- (no CPE)range: <=4.30.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The pretty-URL handler builds the upstream proxy URL from the unvalidated Host HTTP request header before fetching it, allowing an attacker to redirect the server's outbound request to an arbitrary internal host."
Attack vector
An unauthenticated remote attacker sends a request to a known pretty-URL endpoint (e.g., `/files/<slug>.<ext>`) with a crafted `Host` HTTP header pointing to an internal host on the private network. Because Express does not validate the `Host` header and Apostrophe applies no allowlist, the server issues an outbound `fetch()` to `http://<attacker-controlled-host>/uploads/attachments/<cuid>-<slug>.<ext>`. The response body and headers are streamed verbatim back to the attacker, enabling blind-SSRF probes (response-code/timing side channels) and, against verbose proxies or WAFs, limited body disclosure. [ref_id=1] [CWE-918]
Affected code
The vulnerability resides in the public GET route of `@apostrophecms/file` when `prettyUrls: true` is enabled (`modules/@apostrophecms/file/index.js`). The route constructs an upstream URL by concatenating `req.protocol` with the unvalidated `Host` HTTP request header and a path derived from a database lookup. That URL is then passed to `fetch()` inside `lib/stream-proxy.js`, and the response is streamed directly back to the requester. [ref_id=1]
What the fix does
The advisory recommends two changes. First, in the pretty-URL route (`modules/@apostrophecms/file/index.js`), replace `req.get('host')` with a server-trusted absolute base URL (e.g., `self.apos.baseUrl`) when constructing `proxyUrl`, so the Host header cannot steer the fetch target. Second, enforce a strict origin allowlist inside `lib/stream-proxy.js` before calling `fetch()`, providing defense in depth against future callers reintroducing the same pattern. No patch version has been published as of the advisory’s release date. [ref_id=1]
Preconditions
- configThe `prettyUrls: true` option must be enabled on the `@apostrophecms/file` module.
- configAt least one file must have been uploaded so that a public slug exists, which is typical in normal CMS operation.
- inputThe attacker must know the slug of a publicly accessible uploaded file, which is trivially enumerable because file URLs appear in page content.
- configUploads must be stored locally (default); S3/CDN deployments produce an absolute `uglyUrl` and are not affected.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.