Impact
Monsta FTP versions earlier than 2.14.5 are affected by a server‑side request forgery vulnerability caused by an incomplete IP blocklist check. The isBlockedIP() function fails to reject embedded IPv4 addresses that are wrapped in IPv4‑mapped IPv6 addresses. An unauthenticated attacker can first acquire a CSRF token from the open getSystemVars endpoint and then submit a fetchRemoteFile request that points to a source URL resolving to an IPv4‑mapped address. The server will create an HTTP request to an internal service, pull the response, and write it to an FTP destination controlled by the attacker. This allows the attacker to retrieve sensitive information such as cloud‑instance metadata credentials.
Affected Systems
The vulnerability impacts all installations of Monsta FTP produced by Monsta Limited of New Zealand running a version before 2.14.5 (i.e., 2.14.4 and older). No specific patch level was provided, but the CNA notes that 2.14.5 contains the fix.
Risk and Exploitability
The CVSS score of 7.7 indicates a high severity vulnerability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote web traffic: an unauthenticated user can exploit the flaw simply by sending HTTP requests to the fetchRemoteFile endpoint from outside the network. The ability to pull internal data and exfiltrate it via FTP makes this a significant risk, especially for cloud deployments where metadata services hold credentials.
OpenCVE Enrichment