CVE-2024-9710
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PostHog's database_schema method that allows authenticated attackers to make unauthorized requests from the server. Attackers can exploit this to access internal systems, disclose sensitive information, and potentially execute code with service account privileges. All PostHog installations with vulnerable versions are affected.
💻 Affected Systems
- PostHog
📦 What is this software?
Posthog by Posthog
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the PostHog server leading to data exfiltration, lateral movement to internal systems, and remote code execution in the service account context.
Likely Case
Information disclosure from internal services accessible to the PostHog server, potentially including database credentials, cloud metadata, or other sensitive internal resources.
If Mitigated
Limited impact due to network segmentation, proper authentication controls, and restricted service account permissions.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is documented in ZDI advisory ZDI-24-1383.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing fix from PR #25388
Vendor Advisory: https://github.com/PostHog/posthog/pull/25388
Restart Required: Yes
Instructions:
1. Update PostHog to the latest version containing the fix from PR #25388. 2. Restart the PostHog service. 3. Verify the fix is applied by checking the version.
🔧 Temporary Workarounds
Network Segmentation
allRestrict PostHog server's outbound network access to only required services
Configure firewall rules to limit outbound connections from PostHog server
Authentication Hardening
allImplement strong authentication controls and monitor for suspicious authentication attempts
Enable MFA, implement account lockout policies, review authentication logs
🧯 If You Can't Patch
- Implement strict network segmentation to limit the PostHog server's ability to reach internal systems
- Enhance authentication security with MFA and monitor for credential compromise
🔍 How to Verify
Check if Vulnerable:
Check if your PostHog version is older than the version containing fix from PR #25388Check Version:
Check PostHog version in web interface or via API endpointVerify Fix Applied:
Verify your PostHog version includes the fix from PR #25388 and test that the database_schema endpoint properly validates URIs📡 Detection & Monitoring
Log Indicators:
- Unusual outbound requests from PostHog server
- Multiple authentication attempts to PostHog
- Access to database_schema endpoint with unusual parameters
Network Indicators:
- PostHog server making requests to internal IP ranges or unusual domains
- Outbound connections to metadata services (169.254.169.254, etc.)
SIEM Query:
source="posthog" AND (uri="*database_schema*" OR method="POST" AND endpoint="*database_schema*")