NocoDB: Server-Side Request Forgery via Base Migration URL
Description
Summary
The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations.
Details
The migrate endpoint is restricted to the workspace owner role by ACL. The remaining gaps were (a) protocol validation — the controller now parses body.migrationUrl as a URL and rejects anything whose protocol is not http: or https: — and (b) private destination filtering — the worker already runs through useAgent(targetUrl) from request-filtering-agent, which blocks RFC 1918, loopback, and link-local at the socket layer.
Impact
With the workspace owner role, a malformed URL could be used to coerce the migration worker into reading local files or talking to non-HTTP services; combined with the HTTP-only filter, owner-supplied targets could not reach private ranges.
Credit
This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @Lihfdgjr and [@bugbunny-research (https://github.com/bugbunny-research).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.