Description
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw `Host` HTTP request header. That URL is then `fetch`'ed and the response body + headers are streamed straight back to the requester. Because `Host` is fully attacker-controlled, an unauthenticated remote attacker can pivot the apostrophe process to issue outbound HTTP requests against any host it can reach on the private network. The path component is constrained to `/uploads/attachments/<cuid>-<slug>.<ext>` (built from a local-DB lookup), which keeps the impact narrow: cross-instance data exfiltration is neutralized by cuid uniqueness, but blind-SSRF residuals remain (network-topology mapping via response-code / timing differences and verbose proxy/WAF 404 body disclosure). As of time of publication, no known patched versions exist.
Published: 2026-06-12
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the @apostrophecms/file component, where setting prettyUrls to true causes the system to build an upstream URL from the raw Host request header and then fetch that URL. The response body and headers are streamed directly back to the requester, allowing an unauthenticated attacker to direct the server to make outbound HTTP requests to any host it can reach. The path component is limited to /uploads/attachments/<cuid>-<slug>.<ext>, which restricts the attack surface to a single attachment path, but the attacker can still discover internal network topology, timing information, and receive verbose proxy/WAF responses, constituting a blind SSRF exposure. This weakness is classified as CWE‑918.

Affected Systems

ApostropheCMS, the open-source Node.js content management system, is affected. Versions up to and including 4.30.0 expose this flaw when @apostrophecms/file’s prettyUrls feature is enabled. No patched versions are currently available.

Risk and Exploitability

The CVSS score of 3.7 indicates a low overall severity, and the EPSS score is not provided. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires only an unauthenticated HTTP request with a crafted Host header, the likelihood of exploitation is low but not negligible; the attacker must also have access to the network segment that the ApostropheCMS server can reach. No confirmed exploits are known yet, but the blind SSRF can still be useful for reconnaissance of internal hosts.

Generated by OpenCVE AI on June 12, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the pretty-URL feature by setting prettyUrls to false in @apostrophecms/file configuration or removing the route entirely.
  • Configure a network firewall or host-based outbound rules to block or restrict HTTP requests originating from the ApostropheCMS process to unapproved internal hosts.
  • Add validation or sanitization logic for the Host header in the code path, ensuring it is either ignored or matched against a strict whitelist before being used to form an upstream URL.

Generated by OpenCVE AI on June 12, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw `Host` HTTP request header. That URL is then `fetch`'ed and the response body + headers are streamed straight back to the requester. Because `Host` is fully attacker-controlled, an unauthenticated remote attacker can pivot the apostrophe process to issue outbound HTTP requests against any host it can reach on the private network. The path component is constrained to `/uploads/attachments/<cuid>-<slug>.<ext>` (built from a local-DB lookup), which keeps the impact narrow: cross-instance data exfiltration is neutralized by cuid uniqueness, but blind-SSRF residuals remain (network-topology mapping via response-code / timing differences and verbose proxy/WAF 404 body disclosure). As of time of publication, no known patched versions exist.
Title @apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:54:30.866Z

Reserved: 2026-06-09T19:39:52.404Z

Link: CVE-2026-53607

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:24.247

Modified: 2026-06-12T21:16:24.247

Link: CVE-2026-53607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:45:28Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)