Description
Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
Published: 2026-07-08
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Monsta FTP versions earlier than 2.14.5 are affected by a server‑side request forgery vulnerability caused by an incomplete IP blocklist check. The isBlockedIP() function fails to reject embedded IPv4 addresses that are wrapped in IPv4‑mapped IPv6 addresses. An unauthenticated attacker can first acquire a CSRF token from the open getSystemVars endpoint and then submit a fetchRemoteFile request that points to a source URL resolving to an IPv4‑mapped address. The server will create an HTTP request to an internal service, pull the response, and write it to an FTP destination controlled by the attacker. This allows the attacker to retrieve sensitive information such as cloud‑instance metadata credentials.

Affected Systems

The vulnerability impacts all installations of Monsta FTP produced by Monsta Limited of New Zealand running a version before 2.14.5 (i.e., 2.14.4 and older). No specific patch level was provided, but the CNA notes that 2.14.5 contains the fix.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity vulnerability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote web traffic: an unauthenticated user can exploit the flaw simply by sending HTTP requests to the fetchRemoteFile endpoint from outside the network. The ability to pull internal data and exfiltrate it via FTP makes this a significant risk, especially for cloud deployments where metadata services hold credentials.

Generated by OpenCVE AI on July 9, 2026 at 09:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Monsta FTP to version 2.14.5 or newer, which includes a fixed isBlockedIP() check and removes the SSRF flaw.
  • If an upgrade is not immediately possible, restrict the fetchRemoteFile endpoint so that only authenticated users can invoke it, and/or block requests that target internal IP address ranges, including IPv4‑mapped IPv6 addresses, using firewall or application‑level rules.
  • Ensure that the getSystemVars endpoint, which provides a CSRF token, is protected behind proper authentication or disabled altogether to prevent unauthenticated token acquisition.

Generated by OpenCVE AI on July 9, 2026 at 09:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
Title Monsta FTP < 2.14.5 SSRF via IPv4-Mapped IPv6 Address Bypass
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-09T13:43:58.815Z

Reserved: 2026-07-08T13:27:53.030Z

Link: CVE-2026-60105

cve-icon Vulnrichment

Updated: 2026-07-09T13:43:55.980Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T09:15:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)