CVE-2023-39967
📋 TL;DR
CVE-2023-39967 is a server-side request forgery (SSRF) vulnerability in WireMock Studio that allows attackers to make arbitrary HTTP requests from the WireMock instance to internal services. This affects users of WireMock Studio who have configured vulnerable request URLs. Attackers can exploit this to access internal systems using WireMock's credentials.
💻 Affected Systems
- WireMock Studio
📦 What is this software?
Studio by Wiremock
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services, data exfiltration, and lateral movement using WireMock's credentials to access sensitive systems.
Likely Case
Unauthorized access to internal APIs, services, or data stores that are reachable from the WireMock instance.
If Mitigated
Limited impact if WireMock runs in isolated network segments with strict egress filtering and minimal credentials.
🎯 Exploit Status
Exploitation is straightforward via three attack vectors: TestRequester, webhooks, and proxy mode. Public advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/wiremock/wiremock/security/advisories/GHSA-676j-xrv3-73vc
Restart Required: No
Instructions:
No official fix available. Vendor has discontinued WireMock Studio. Users must migrate to alternative solutions.
🔧 Temporary Workarounds
Disable vulnerable features
allDisable TestRequester functionality, webhooks, and proxy mode in WireMock Studio configuration
Configure WireMock Studio to disable: testRequester.enabled=false, webhooks.enabled=false, proxy.enabled=false
Input validation for URLs
allImplement strict validation to reject URLs containing localhost or internal IP addresses
Implement regex validation: reject URLs containing @127.0.0.1, @localhost, @192.168.*, @10.*, @172.16.*
🧯 If You Can't Patch
- Immediately isolate WireMock Studio instances from internal networks using firewall rules
- Migrate to alternative mocking solutions and decommission WireMock Studio entirely
🔍 How to Verify
Check if Vulnerable:
Check if WireMock Studio is installed and if any configuration accepts URLs with patterns like @127.0.0.1:portCheck Version:
Check WireMock Studio documentation or interface for version informationVerify Fix Applied:
Verify WireMock Studio has been removed or disabled, and test that vulnerable URL patterns are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from WireMock instance to internal IP addresses
- Requests containing @127.0.0.1 or similar patterns in URL fields
Network Indicators:
- HTTP traffic from WireMock instance to unexpected internal services
- Requests with unusual headers or methods originating from WireMock
SIEM Query:
source_ip=wiremock_instance AND dest_ip IN (internal_ranges) AND http_user_agent CONTAINS 'WireMock'