Platform
nodejs
Component
txtdot
Fixed in
1.7.1
CVE-2024-41812 describes a Server-Side Request Forgery (SSRF) vulnerability found in txtdot, an HTTP proxy designed to strip ads and scripts from web pages. This vulnerability allows attackers to leverage the txtdot server as a proxy to send HTTP GET requests to internal network resources, potentially exposing sensitive information. The vulnerability affects versions of txtdot prior to 1.7.0; version 1.7.0 mitigates the display of responses but does not fully prevent the forwarding of requests.
The SSRF vulnerability in txtdot allows an attacker to bypass network segmentation and access internal resources that are not directly exposed to the internet. An attacker could use this to scan the internal network for open ports and services, potentially identifying other vulnerable systems. They could also retrieve sensitive data from internal web applications or APIs, such as configuration files, database credentials, or user data. The blast radius extends to any internal resource accessible via HTTP GET requests from the txtdot server. While version 1.7.0 prevents the display of the response, the underlying request forwarding functionality remains, meaning sensitive data can still be exfiltrated through other means.
This vulnerability was publicly disclosed on July 26, 2024. There is no indication of active exploitation at this time. The EPSS score is currently unavailable, but given the SSRF nature and public disclosure, it is likely to be assessed as medium probability. No public proof-of-concept (PoC) code has been released as of this writing.
Exploit Status
EPSS
0.33% (56% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-41812 is to upgrade txtdot to version 1.7.0 or later. This version prevents the display of responses from forged requests, reducing the immediate risk of data exposure. However, it does not completely eliminate the SSRF vulnerability. For complete mitigation, a firewall should be implemented between the txtdot server and other internal network resources, restricting outbound connections to only necessary destinations. Consider using a Web Application Firewall (WAF) to filter outbound requests and block suspicious traffic. After upgrading, confirm the fix by attempting to send a request to an internal resource via the /get route and verifying that the response is not displayed.
Update txtdot to version 1.7.0 or higher. If updating is not possible, configure a firewall between txtdot and other internal network resources to mitigate the SSRF risk. This will prevent txtdot from accessing unwanted internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-41812 is a Server-Side Request Forgery vulnerability in txtdot versions before 1.7.0, allowing attackers to use the server as a proxy to access internal resources.
You are affected if you are running txtdot versions prior to 1.7.0 and have not implemented compensating controls like a firewall.
Upgrade to txtdot version 1.7.0 or later and implement a firewall between the txtdot server and internal resources.
There is currently no indication of active exploitation, but the vulnerability is publicly known.
Refer to the txtdot project's repository or website for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.