Platform
nodejs
Component
txtdot
Fixed in
1.4.1
CVE-2024-41813 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in txtdot, an HTTP proxy designed to strip ads and scripts from web pages. This flaw allows attackers to leverage the txtdot server as a proxy to send HTTP GET requests to arbitrary internal targets, potentially exposing sensitive information. The vulnerability affects versions 1.4.0 and later, up to, but not including, version 1.6.1. A patch is available in version 1.6.1.
The SSRF vulnerability in txtdot allows an attacker to bypass network security controls and access internal resources that are not directly accessible from the outside world. An attacker could, for example, scan internal ports, access internal APIs, or retrieve sensitive data from internal databases or file servers. The blast radius extends to any internal service accessible via HTTP GET requests. Successful exploitation could lead to data breaches, unauthorized access to internal systems, and potentially, further compromise of the network. The ability to proxy requests through txtdot effectively grants the attacker a foothold within the internal network.
CVE-2024-41813 was publicly disclosed on July 26, 2024. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation if left unpatched.
Exploit Status
EPSS
0.33% (56% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-41813 is to upgrade to version 1.6.1 of txtdot. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the txtdot server to only trusted sources using firewall rules or network segmentation. Implement input validation on the /proxy route to prevent attackers from specifying arbitrary target URLs. Monitor txtdot logs for suspicious outbound requests. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter malicious requests. After upgrading, confirm the fix by attempting to send a request to an internal resource through the /proxy route; the request should be blocked.
Update txtdot to version 1.6.1 or higher. This version fixes the SSRF vulnerability in the `/proxy` route. To update, use the npm package manager: `npm install txtdot@latest`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-41813 is a Server-Side Request Forgery (SSRF) vulnerability in txtdot versions 1.4.0 through 1.6.0, allowing attackers to proxy requests to internal resources.
You are affected if you are running txtdot versions 1.4.0 to 1.6.0. Upgrade to version 1.6.1 to mitigate the vulnerability.
Upgrade to version 1.6.1 of txtdot. As a temporary workaround, restrict network access and implement input validation.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate attention and patching.
Refer to the txtdot project's official advisory and release notes for details and updates: [https://github.com/txtdot/txtdot/releases/tag/v1.6.1](https://github.com/txtdot/txtdot/releases/tag/v1.6.1)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.