Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25991 is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of the Tandoor Recipes application prior to version 2.5.1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application validates the initial URL provided for importing images but does not re-validate URLs after HTTP redirects. This allows any authenticated user, including those without administrative privileges, to cause the server to make requests to arbitrary internal or external resources.'}, {'type': 'paragraph', 'content': 'Specifically, the flaw lies in the code that fetches images from URLs in the cookbook/integration/cookmate.py file, where the server follows redirects without checking if the redirected URL points to restricted or internal network addresses.'}, {'type': 'paragraph', 'content': "Exploitation can involve scanning internal network ports, accessing cloud instance metadata services (such as AWS or GCP metadata endpoints), or revealing the server's real IP address."}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Tandoor Recipes to version 2.5.1 or later, where this SSRF vulnerability has been fixed.

If immediate upgrade is not possible, apply the following mitigations:

• Modify the code in cookbook/integration/cookmate.py to disable automatic following of HTTP redirects by setting allow_redirects=false in requests.get calls.
• Implement strict validation of all URLs, including those in redirects, to ensure they do not resolve to private or internal IP addresses.
• Restrict access to the import API endpoint (/api/import/) to trusted users only, if possible.
• Monitor and block outgoing HTTP requests to internal IP ranges or cloud metadata IP addresses at the network firewall level.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have significant security impacts including:'}, {'type': 'list_item', 'content': 'Allowing attackers to scan internal network ports, potentially discovering other vulnerable services.'}, {'type': 'list_item', 'content': 'Accessing sensitive cloud instance metadata services (e.g., AWS or GCP metadata endpoints), which can lead to full infrastructure compromise.'}, {'type': 'list_item', 'content': "Disclosing the server's real IP address, which may aid attackers in further targeting the infrastructure."}, {'type': 'paragraph', 'content': 'Because any authenticated user can exploit this vulnerability without special privileges or user interaction, the risk is elevated.'}] [3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the server making HTTP requests to arbitrary internal or external resources via the Cookmate recipe import feature. Detection can focus on monitoring outgoing HTTP requests from the Tandoor Recipes server, especially those triggered by authenticated users importing recipes.

To detect exploitation attempts or scanning activities, you can monitor network traffic for unusual HTTP requests to internal IP ranges or metadata service IPs (e.g., 169.254.169.254).

• Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the server.
• Example tcpdump command to monitor HTTP requests from the server:
• tcpdump -i <interface> -n host <server_ip> and tcp port 80 or tcp port 443
• Check server logs for requests to the import API endpoint (/api/import/) which can be triggered by any authenticated user.
• Look for unusual or unexpected outbound HTTP requests to internal IP addresses or cloud metadata IPs.
• If you have access to the application logs, search for calls to the Cookmate integration or image import functions that result in HTTP requests.

Useful 0 Not Useful 0