CVE-2026-27818: Domain Proxy Bypass in terrajs-server
Platform
nodejs
Component
terriajs-server
Fixed in
4.0.4
4.0.3
CVE-2026-27818 is a validation vulnerability in terrajs-server that allows attackers to bypass proxy restrictions. This occurs because the hostname validation only checks if a hostname ends with an allowed domain, enabling the proxying of unauthorized domains. Versions of terrajs-server up to 4.0.2 are affected, and a fix is available in version 4.0.3.
Impact and Attack Scenarios
An attacker can exploit this vulnerability by registering a malicious domain (e.g., maliciousexample.com) and then proxying content through the vulnerable terrajs-server instance. Because the validation only checks for a suffix match, maliciousexample.com would be incorrectly considered allowed if example.com is in the proxyableDomains configuration. This bypasses intended proxy restrictions, potentially leading to data exposure, malicious content delivery, and unauthorized access to internal resources. The blast radius extends to any users or systems relying on terrajs-server for proxying, particularly those with sensitive data or critical services.
Exploitation Context
This vulnerability was publicly disclosed on 2026-02-26. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that a simple POC could be developed relatively easily.
Threat Intelligence
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation is to upgrade terrajs-server to version 4.0.3 or later, which includes the corrected validation logic. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to unexpected or unauthorized domains. Additionally, carefully review and restrict the proxyableDomains configuration to only include explicitly trusted domains. Regularly audit proxy configurations to ensure they align with security policies. After upgrading, confirm the fix by attempting to proxy a domain not explicitly listed in proxyableDomains and verifying that the request is blocked.
How to fix
Update TerriaJS-Server to version 4.0.3 or higher. This version fixes the domain validation bypass vulnerability in the proxy allowlist. The update can be performed through the npm package manager.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-27818 — Domain Proxy Bypass in terrajs-server?
CVE-2026-27818 is a vulnerability in terrajs-server where a validation bug allows attackers to bypass proxy restrictions by proxying unauthorized domains.
Am I affected by CVE-2026-27818 in terrajs-server?
If you are using terrajs-server versions up to 4.0.2, you are potentially affected by this vulnerability.
How do I fix CVE-2026-27818 in terrajs-server?
Upgrade terrajs-server to version 4.0.3 or later to address the vulnerability. Consider WAF rules as a temporary mitigation.
Is CVE-2026-27818 being actively exploited?
There is currently no indication of active exploitation of CVE-2026-27818.
Where can I find the official terrajs-server advisory for CVE-2026-27818?
Refer to the terrajs-server project's release notes or security advisories for details on this vulnerability and the fix.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.