Capgo - Server-Side Request Forgery via Webhook URL Validation
Description
Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Webhook URL validation explicitly allows loopback hosts (localhost, 127.0.0.1, ::1) and only rejects non-HTTPS URLs, so internal addresses are accepted and the backend performs outbound requests to them."
Attack vector
An organization admin with webhook management access can set a webhook URL to a loopback or internal address (e.g. `https://localhost/` or `https://127.0.0.1/`) via a PUT request [ref_id=1]. When the webhook is tested or delivered, the backend calls `fetch(url, { method: 'POST', ... })` inside `deliverWebhook()`, causing a real outbound request from Capgo's infrastructure to that internal address [ref_id=1]. Error responses from the internal target are returned to the caller via `response_preview`, creating an information disclosure channel useful for internal probing [ref_id=1].
Affected code
The vulnerability resides in `supabase/functions/_backend/public/webhooks/post.ts` and `supabase/functions/_backend/public/webhooks/put.ts`. The webhook URL validation explicitly allows loopback hosts (`localhost`, `127.0.0.1`, `::1`) and only rejects non-HTTPS URLs when the host is not localhost or loopback, so `https://localhost/` and `https://127.0.0.1/` are accepted in production.
What the fix does
The advisory recommends rejecting loopback, link-local, and private IP ranges (127.0.0.0/8, ::1, localhost, *.localhost, 169.254.0.0/16, RFC1918 ranges), resolving the hostname to an IP and validating after DNS resolution, and avoiding the return of raw network error messages to users [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are not shown.
Preconditions
- authAttacker must be an organization admin with webhook management access
- configThe webhook URL validation must accept loopback hosts (localhost, 127.0.0.1, ::1)
- networkAttacker must be able to send HTTP requests to the Capgo API endpoints
- inputAttacker must supply a loopback or internal address as the webhook URL
Reproduction
```bash # Update an existing webhook URL to loopback curl -X PUT https://.supabase.co/functions/v1/webhooks \ -H "capgkey: <API_KEY>" \ -H "content-type: application/json" \ --data '{ "orgId": "<ORG_ID>", "webhookId": "<WEBHOOK_ID>", "url": "https://localhost/" }'
# Trigger webhook test curl -X POST https://.supabase.co/functions/v1/webhooks/test \ -H "capgkey: <API_KEY>" \ -H "content-type: application/json" \ --data '{ "orgId": "<ORG_ID>", "webhookId": "<WEBHOOK_ID>" }' ``` The server responds with `{"success": false, "response_preview": "Error: error sending request for url (https://localhost/): tcp connect error: Connection refused", "message": "Test webhook delivery failed"}`, confirming the backend attempted a request to localhost [ref_id=1].
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-48hc-53hv-6x3fmitrevendor-advisory
- www.vulncheck.com/advisories/capgo-server-side-request-forgery-via-webhook-url-validationmitrethird-party-advisory
News mentions
0No linked articles in our index yet.