Login Sign Up

CVE-2022-1711

7.5 HIGH
SSRF

📋 TL;DR

This Server-Side Request Forgery (SSRF) vulnerability in draw.io allows attackers to make unauthorized requests from the server to internal systems. It affects users of draw.io versions prior to 18.0.5 who process untrusted diagram files. Attackers can exploit this by crafting malicious diagram files that trigger internal network requests.

💻 Affected Systems

Products:
  • draw.io
Versions: All versions prior to 18.0.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is triggered when processing untrusted diagram files. Self-hosted instances and cloud deployments are both affected.

📦 What is this software?

Drawio by Diagrams

View all CVEs affecting Drawio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network services, data exfiltration from internal systems, or lateral movement to other servers via the draw.io server's network position.

🟠

Likely Case

Information disclosure from internal services, scanning of internal network resources, or limited data extraction from accessible internal endpoints.

🟢

If Mitigated

Limited impact due to network segmentation, egress filtering, or restricted server permissions preventing access to sensitive internal resources.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the victim to process a malicious diagram file. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.0.5 and later

Vendor Advisory: https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae

Restart Required: Yes

Instructions:

1. Update draw.io to version 18.0.5 or later. 2. For self-hosted instances: Download latest version from GitHub releases. 3. Replace existing installation with patched version. 4. Restart the draw.io service or application.

🔧 Temporary Workarounds

Network Egress Filtering

linux

Restrict outbound network connections from draw.io servers to only necessary destinations

iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP

Input Validation

all

Implement strict validation of diagram files before processing

🧯 If You Can't Patch

  • Isolate draw.io servers in a restricted network segment with limited outbound access
  • Implement strict file upload validation and only allow trusted diagram sources

🔍 How to Verify

Check if Vulnerable:

Check draw.io version. If version is below 18.0.5, the system is vulnerable.

Check Version:

Check application settings or about dialog in draw.io interface

Verify Fix Applied:

Verify draw.io version is 18.0.5 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from draw.io server
  • Requests to internal IP addresses or unusual domains

Network Indicators:

  • HTTP requests from draw.io server to unexpected internal endpoints
  • Port scanning activity originating from draw.io server

SIEM Query:

source="drawio" AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16)

📊 Metadata

CVE ID: CVE-2022-1711
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-918
Published: May 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1711, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)