Server-side request forgery (SSRF) In nocodb
Description
NocoDB: Server-Side Request Forgery via Base Migration URL
Summary
The base-migration endpoint accepted a caller-supplied URL that the migration worker
dereferenced without enforcing protocol or destination, allowing scheme abuse
(file:, ftp:, etc.) and probing of internal HTTP destinations.
Details
The migrate endpoint is restricted to the workspace owner role by ACL. The remaining
gaps were (a) protocol validation — the controller now parses body.migrationUrl as a
URL and rejects anything whose protocol is not http: or https: — and (b) private
destination filtering — the worker already runs through useAgent(targetUrl) from
request-filtering-agent, which blocks RFC 1918, loopback, and link-local at the
socket layer.
Impact
With the workspace owner role, a malformed URL could be used to coerce the migration worker into reading local files or talking to non-HTTP services; combined with the HTTP-only filter, owner-supplied targets could not reach private ranges.
Credit
This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @Lihfdgjr and [@bugbunny-research (https://github.com/bugbunny-research).
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version |
|---|---|---|
 npm |
Aliases
References