Platform
nodejs
Component
huly-platform
Fixed in
0.7.383
A server-side request forgery (SSRF) vulnerability has been identified in Huly Platform versions 0.7.382 through 0.7.382. This flaw allows attackers to manipulate the application into making requests to unintended internal or external resources, potentially exposing sensitive data or enabling further attacks. The vulnerability resides within the Import Endpoint component, specifically in the file server/front/src/index.ts file. A public exploit is available, indicating a heightened risk of exploitation.
The SSRF vulnerability in Huly Platform allows an attacker to craft malicious requests that the server will execute on behalf of the attacker. This can lead to several consequences. An attacker could potentially access internal services that are not directly exposed to the internet, such as databases, configuration files, or administrative interfaces. They might also be able to scan internal networks for other vulnerable systems, facilitating lateral movement. The ability to make arbitrary requests also opens the door to data exfiltration and denial-of-service attacks against internal resources. The presence of a public exploit significantly increases the likelihood of exploitation and the potential for widespread impact.
This vulnerability is considered actively exploitable due to the availability of a public proof-of-concept. The vulnerability was disclosed on 2026-04-06. The vendor was contacted but did not respond. The exploit's public availability suggests a medium probability of exploitation (EPSS score likely medium). Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting Huly Platform.
Exploit Status
EPSS
0.03% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5623 is to upgrade to a patched version of Huly Platform as soon as it becomes available. Since no fixed version is currently specified, closely monitor the vendor's website and security advisories for updates. As a temporary workaround, implement strict input validation on any user-supplied URLs or hostnames used in requests made by the Import Endpoint. Consider deploying a Web Application Firewall (WAF) with rules to block suspicious outbound requests based on URL patterns or destination IP addresses. Restrict network access to the Huly Platform server to only necessary ports and services.
Update the Huly Platform to a patched version. Review the source code in `src/index.ts` to identify and mitigate the server-side request forgery vulnerability. Implement robust input validations to prevent URL manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5623 is a server-side request forgery vulnerability affecting Huly Platform versions 0.7.382-0.7.382, allowing attackers to make requests on behalf of the server.
If you are using Huly Platform version 0.7.382, you are potentially affected by this SSRF vulnerability. Monitor for vendor updates.
The recommended fix is to upgrade to a patched version of Huly Platform. Monitor the vendor's website for updates and implement input validation as a temporary workaround.
Yes, a public exploit exists, indicating a high probability of active exploitation. Monitor your systems and implement mitigations immediately.
Check the Huly Platform website and security advisories for the latest information regarding CVE-2026-5623.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.