Description
TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes the issue.
Published: 2026-02-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized proxy of arbitrary domains
Action: Immediate Patch
AI Analysis

Impact

TerriaJS-Server, a Node.js Express application that powers the TerriaJS geospatial library, implements a proxy endpoint that forwards external HTTP requests after validating the destination domain against a configured allowlist (proxyableDomains). A flaw in that validation logic lets an attacker specify a target domain that is not in the allowlist and still have the request proxied. This bypass allows the attacker to retrieve data from any remote domain, potentially exfiltrating sensitive data or delivering malicious content to users. The vulnerability exists in all releases prior to version 4.0.3 and affects any deployment that enables the proxy feature. The flaw is not mitigated by user authentication; any client that can reach the /proxy endpoint can exercise the bug. While the EPSS score of < 1 % indicates a low current exploitation probability, the danger remains high because the flaw can be triggered without any prerequisites. With a CVSS base score of 8.7 the issue is classified as high severity, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers can exploit it by crafting an HTTP request to /proxy with an arbitrary target domain, resulting in the server forwarding the request. The potential impact includes data leakage, injection of malicious payloads into users, or, if internal networks are reachable, indirect access to internal resources.

Affected Systems

The vulnerable product is TerriaJS-Server, the Node.js Express application used to provide a proxy service for TerriaJS. All releases earlier than version 4.0.3 are affected. Deployments that enable the proxy feature and configure any proxyableDomains list are vulnerable, regardless of user authentication or network restrictions.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity. The EPSS score is below 1 %, suggesting a low but nonzero likelihood of current exploitation. The vulnerability is not yet catalogued in the CISA KEV list. Attackers can remotely target the /proxy endpoint from any network that can reach the server, bypassing the domain allowlist and allowing unrestricted outbound HTTP requests. The exploitation requires only knowledge of the endpoint; no authentication is needed, making the risk readily exploitable.

Generated by OpenCVE AI on April 18, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TerriaJS-Server to version 4.0.3 or later, which corrects the allowlist validation bug.
  • If upgrading immediately is not possible, disable the proxy feature or remove all proxyableDomains configuration to prevent any external requests from being forwarded.
  • Configure network or application firewall rules to restrict outbound requests from the server to only trusted domains, adding an extra layer of isolation against inadvertent proxy use.

Generated by OpenCVE AI on April 18, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w789-49fc-v8hr TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist
History

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Terria
Terria terriajs-server
CPEs cpe:2.3:a:terria:terriajs-server:*:*:*:*:*:node.js:*:*
Vendors & Products Terria
Terria terriajs-server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Terriajs
Terriajs terriajs-server
Vendors & Products Terriajs
Terriajs terriajs-server

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes the issue.
Title TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist
Weaknesses CWE-20
CWE-918
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Terria Terriajs-server
Terriajs Terriajs-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:16:30.580Z

Reserved: 2026-02-24T02:32:39.799Z

Link: CVE-2026-27818

cve-icon Vulnrichment

Updated: 2026-02-26T15:16:24.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:26.653

Modified: 2026-03-04T21:12:51.720

Link: CVE-2026-27818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses