2FAuth, a web application for managing Two-Factor Authentication accounts, contains a blind Server Side Request Forgery vulnerability in the image parameter of OTP URLs. An authenticated user can supply a URL that is not properly validated for private or internal IP addresses, causing the server to perform an HTTP request to that URL before validating the response. This flaw allows attackers to reach internal resources, cloud metadata services, or other confidential endpoints that are normally shielded from the public internet. The vulnerability is categorized as CWE-918, indicating the potential for remote data exfiltration and internal network discovery, thereby threatening the confidentiality and integrity of internal systems.

The affected product is 2FAuth by Bubka. All releases prior to 6.1.0 are vulnerable; the fix was introduced in 6.1.0. Specific vendors and CPEs impacted include the Bubka:2FAuth product listed as cpe:2.3:a:2fauth:2fauth:*:*:*:*:*:*:*:*.

The CVSS score of 7.8 indicates a high severity, but the EPSS score of <1% suggests a low likelihood of exploitation at any given time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session with 2FAuth, and the attacker can make arbitrary HTTPS or HTTP requests to internal IPs or cloud metadata endpoints, but due to the blind nature of the SSRF, the attacker gains no immediate response information. Nonetheless, the ability to reach internal services can be leveraged for further attacks. The attack vector is authenticated and remote from the attacker’s perspective, via the web application.