CVE-2024-41812
📋 TL;DR
CVE-2024-41812 is a Server-Side Request Forgery (SSRF) vulnerability in txtdot HTTP proxy that allows attackers to use the server as a proxy to send HTTP GET requests to arbitrary internal network targets and retrieve information. This affects all txtdot deployments prior to version 1.7.0 that expose the /get route. Organizations using txtdot as an internet-facing proxy are particularly vulnerable.
💻 Affected Systems
- txtdot
📦 What is this software?
Txtdot by Txtdot
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot through txtdot to access sensitive internal services, exfiltrate confidential data, or conduct reconnaissance of internal network infrastructure.
Likely Case
Attackers use txtdot as a proxy to scan internal networks, access internal web applications, or retrieve metadata from cloud services.
If Mitigated
With proper network segmentation and firewall rules, impact is limited to denial of service against txtdot itself.
🎯 Exploit Status
The vulnerability is trivially exploitable via HTTP requests to the /get endpoint with crafted URLs. Public exploit code is available in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://github.com/TxtDot/txtdot/security/advisories/GHSA-4gj5-xj97-j8fp
Restart Required: Yes
Instructions:
1. Update txtdot to version 1.7.0 or later. 2. Restart the txtdot service. 3. Verify the /get endpoint no longer returns responses from arbitrary URLs.
🔧 Temporary Workarounds
Network Segmentation
allImplement firewall rules to restrict txtdot's outbound network access to only necessary destinations.
Disable /get Route
allRemove or disable the vulnerable /get route if not required for functionality.
🧯 If You Can't Patch
- Implement strict network segmentation with firewall rules between txtdot and internal resources
- Deploy txtdot in a DMZ or isolated network segment with no access to internal systems
🔍 How to Verify
Check if Vulnerable:
Send a request to txtdot's /get endpoint with a URL parameter pointing to an internal service (e.g., http://txtdot-server/get?url=http://internal-service). If it returns the internal service's response, the system is vulnerable.Check Version:
Check txtdot version in package.json or via the application's version endpoint if available.Verify Fix Applied:
After updating to 1.7.0+, repeat the vulnerable check. The system should return an error or no response from the internal service.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /get endpoint with internal IP addresses or domains
- High volume of requests to /get from single sources
Network Indicators:
- txtdot making outbound requests to unexpected internal destinations
- Unusual traffic patterns from txtdot to internal services
SIEM Query:
source="txtdot" AND (uri_path="/get" AND (url="*internal*" OR url="*192.168.*" OR url="*10.*" OR url="*172.16-31.*"))🔗 References
- https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47
- https://github.com/TxtDot/txtdot/commit/7c72d985f7a26ec1fd3cf628444717ca54986d2d
- https://github.com/TxtDot/txtdot/security/advisories/GHSA-4gj5-xj97-j8fp
- https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47
- https://github.com/TxtDot/txtdot/commit/7c72d985f7a26ec1fd3cf628444717ca54986d2d
- https://github.com/TxtDot/txtdot/security/advisories/GHSA-4gj5-xj97-j8fp
