CVE-2024-55082
📋 TL;DR
This SSRF vulnerability in Stirling-PDF allows attackers to make the server send requests to internal systems by manipulating the /url-to-pdf endpoint. Attackers can potentially access sensitive internal services, metadata, or files. Anyone running Stirling-PDF 0.35.1 with the vulnerable endpoint exposed is affected.
💻 Affected Systems
- Stirling-PDF
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers access cloud metadata services (AWS/Azure/GCP), internal databases, or sensitive files, leading to full internal network compromise.
Likely Case
Attackers access internal HTTP services, retrieve sensitive information from internal APIs, or perform port scanning of internal infrastructure.
If Mitigated
Limited to accessing only allowed external resources with minimal internal exposure.
🎯 Exploit Status
Simple HTTP request manipulation required. Public PoC available in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Upgrade to a version beyond 0.35.1 if available, or implement workarounds.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allRemove or disable the /url-to-pdf endpoint in Stirling-PDF configuration
Edit Stirling-PDF configuration to disable url-to-pdf functionality
Network segmentation
linuxRestrict Stirling-PDF server's outbound network access
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict input validation on the /url-to-pdf endpoint to only allow specific, trusted URLs
- Deploy a WAF with SSRF protection rules to filter malicious requests
🔍 How to Verify
Check if Vulnerable:
Send a request to http://{server}/url-to-pdf with url parameter pointing to internal service (like http://169.254.169.254/latest/meta-data/)Check Version:
Check Stirling-PDF version in web interface or configuration filesVerify Fix Applied:
Test if the endpoint still accepts arbitrary URLs after implementing controls📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /url-to-pdf with internal IPs or metadata service URLs
- Multiple failed conversion attempts
Network Indicators:
- Stirling-PDF server making unexpected outbound connections to internal services
SIEM Query:
source="stirling-pdf" AND uri="/url-to-pdf" AND (url="*169.254*" OR url="*metadata*" OR url="*internal*" OR url="*localhost*")