Login Sign Up

CVE-2023-27159

7.5 HIGH
SSRF

📋 TL;DR

Appwrite versions up to 1.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the /v1/avatars/favicon endpoint. Attackers can send crafted GET requests to make the server access internal network resources and potentially retrieve sensitive information. All Appwrite deployments running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Appwrite
Versions: Up to and including version 1.2.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable if the /v1/avatars/favicon endpoint is accessible.

📦 What is this software?

Appwrite by Appwrite

View all CVEs affecting Appwrite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, cloud metadata endpoints, or sensitive data stores, potentially leading to full network compromise or data exfiltration.

🟠

Likely Case

Attackers scan internal networks, access metadata services (like AWS/Azure instance metadata), or retrieve files from internal web servers.

🟢

If Mitigated

With proper network segmentation and egress filtering, impact is limited to accessing only allowed internal resources.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists in GitHub gists. Exploitation requires only HTTP GET requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.2.2 and later

Vendor Advisory: https://github.com/appwrite/appwrite

Restart Required: Yes

Instructions:

1. Update Appwrite to version 1.2.2 or later. 2. Restart the Appwrite service. 3. Verify the fix by testing the /v1/avatars/favicon endpoint.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Use web application firewall or reverse proxy to block requests to /v1/avatars/favicon

# Example nginx location block
location /v1/avatars/favicon { deny all; }

Network egress filtering

linux

Restrict outbound connections from Appwrite server to only necessary destinations

# Example iptables rule
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Appwrite from sensitive internal resources
  • Deploy web application firewall with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Send a GET request to /v1/avatars/favicon with a URL parameter pointing to an internal resource and check if it's accessed.

Check Version:

docker exec appwrite appwrite version

Verify Fix Applied:

After patching, attempt the same SSRF test - it should fail or return an error.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from Appwrite server
  • Requests to /v1/avatars/favicon with URL parameters

Network Indicators:

  • Appwrite server making unexpected HTTP requests to internal IP addresses

SIEM Query:

source="appwrite.logs" AND uri="/v1/avatars/favicon" AND url=*

📊 Metadata

CVE ID: CVE-2023-27159
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-918
Published: March 31, 2023
Last Updated: February 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27159, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)