Twenty is an open‑source CRM that uses NestJS and a custom SecureHttpClientService for HTTP requests. An SSRF check is intended to block requests to internal IP addresses by calling an isPrivateIp utility. However, Node.js normalizes IPv4‑mapped IPv6 literals (for example ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe) before the check, and the utility only recognizes dotted‑decimal notation. Consequently, requests constructed with the hex form bypass the private‑IP filter and the socket lookup validation never fires for literal IP targets. An attacker who can authenticate to the server therefore can reach any internal address, including cloud metadata endpoints, to exfiltrate sensitive data such as IAM keys. The weakness is a classic Server Side Request Forgery (CWE‑918).

The affected product is Twenty, the open‑source CRM built by twentyhq. Versions 1.18.0 and earlier are vulnerable. The threat arises from the server side component that performs outbound HTTP calls via the SecureHttpClientService.

The CVSS score is 8.3, indicating high severity. The EPSS score is not available and the vulnerability is not currently listed in CISA’s KEV catalog. Because authentication is required to invoke the vulnerable functionality, the exploit still requires attacker access to a legitimate user account. Nevertheless, once logged in the server can reach any internal network, exposing sensitive configuration and credentials. The likely attack vector involves an authenticated user submitting a crafted URL containing an IPv4‑mapped IPv6 address to trigger the bypass.