Login Sign Up

CVE-2020-27664

9.8 CRITICAL
SSRF

📋 TL;DR

CVE-2020-27664 is a server-side request forgery (SSRF) vulnerability in Strapi's admin interface that allows attackers to make unauthorized requests to internal systems. It affects Strapi installations with admin access exposed, potentially enabling attackers to access internal services, perform port scanning, or interact with cloud metadata services. This vulnerability impacts all Strapi deployments using vulnerable versions with admin functionality enabled.

💻 Affected Systems

Products:
  • Strapi
Versions: All versions before 3.2.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with admin functionality enabled. The vulnerability is in the admin interface's proxy endpoint.

📦 What is this software?

Strapi by Strapi

View all CVEs affecting Strapi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal infrastructure through cloud metadata access, lateral movement to internal systems, or data exfiltration from internal services.

🟠

Likely Case

Unauthorized access to internal HTTP services, port scanning of internal networks, and potential information disclosure from internal APIs.

🟢

If Mitigated

Limited impact if network segmentation prevents access to sensitive internal services and cloud metadata endpoints are properly secured.

🌐 Internet-Facing: HIGH - Admin interfaces exposed to the internet are directly vulnerable to unauthenticated SSRF attacks.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to pivot to other internal systems, but requires initial access to the internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP requests to the vulnerable endpoint can trigger the SSRF. No authentication required if admin interface is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.5 and later

Vendor Advisory: https://github.com/strapi/strapi/releases/tag/v3.2.5

Restart Required: Yes

Instructions:

1. Update Strapi to version 3.2.5 or later using npm: 'npm update strapi@^3.2.5' 2. Restart the Strapi application 3. Verify the fix by checking the version

🔧 Temporary Workarounds

Disable Admin Interface

all

Temporarily disable the admin interface to prevent exploitation while planning the update.

Modify Strapi configuration to disable admin panel

Network Segmentation

all

Restrict network access from Strapi servers to internal services and block access to cloud metadata endpoints.

Configure firewall rules to block outbound requests from Strapi to internal networks

🧯 If You Can't Patch

  • Implement strict network segmentation to prevent Strapi from accessing internal services
  • Use web application firewall (WAF) rules to block requests to the /proxy?url= endpoint

🔍 How to Verify

Check if Vulnerable:

Check if Strapi version is below 3.2.5 and if admin interface is accessible. Test by making a request to /admin/proxy?url=http://internal-service/

Check Version:

npm list strapi | grep strapi

Verify Fix Applied:

After updating to 3.2.5+, verify that requests to /admin/proxy?url= return appropriate error responses instead of proxying requests.

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to /admin/proxy?url= endpoint
  • Outbound requests from Strapi to internal IP addresses
  • Requests to cloud metadata endpoints (169.254.169.254, etc.)

Network Indicators:

  • HTTP traffic from Strapi server to internal services not normally accessed
  • Port scanning patterns originating from Strapi server

SIEM Query:

source="strapi" AND (uri_path="/admin/proxy" OR destination_ip IN (RFC1918_RANGES, 169.254.169.254))

📊 Metadata

CVE ID: CVE-2020-27664
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: October 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON