CVE-2026-27818
Open Proxy Vulnerability in TerriaJS-Server Before
Publication date: 2026-02-26
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| terria | terriajs-server | to 4.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27818 is a security vulnerability in the TerriaJS-Server, a NodeJS Express server used for building web-based geospatial data explorers. The issue lies in the domain validation logic of the proxy allowlist mechanism, specifically in the proxyableDomains configuration.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the server incorrectly validates domains by checking if a hostname ends with an allowed domain using a substring index check. This flawed logic allows malicious domains that merely contain the allowed domain as a suffix (e.g., "maliciousexample.com" when "example.com" is allowed) to be proxied, even though they are not explicitly permitted.'}, {'type': 'paragraph', 'content': 'The fix, introduced in version 4.0.3, changes the validation to only accept hosts that exactly match an allowed domain or are valid subdomains of it, preventing unauthorized proxying of malicious domains.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have a high impact on the integrity of your system. An attacker can exploit the flawed domain validation to proxy unauthorized domains through the TerriaJS server.
By proxying malicious domains, an attacker could misuse or manipulate system data, potentially leading to unauthorized actions or data modification.
The vulnerability does not impact confidentiality or availability, but it allows remote exploitation without any privileges, user interaction, or special conditions, making it relatively easy to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a domain validation bypass in the TerriaJS server proxy allowlist mechanism, where domains not explicitly allowed can be proxied due to flawed substring checks.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check the version of the terriajs-server package installed. Versions prior to 4.0.3 are vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerable version include:'}, {'type': 'list_item', 'content': 'Check the installed version via npm: `npm list terriajs-server`'}, {'type': 'list_item', 'content': 'Check the version in your package.json file or lock files (package-lock.json or yarn.lock).'}, {'type': 'list_item', 'content': 'If you have access to the server code, inspect the proxy domain validation logic in `lib/controllers/proxy.js` to see if it uses the vulnerable substring index check instead of the fixed strict equality and suffix check.'}, {'type': 'paragraph', 'content': 'Network detection of exploitation attempts could involve monitoring proxy requests to domains that are not explicitly allowed but contain allowed domains as substrings (e.g., "maliciousexample.com" when "example.com" is allowed).'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the terriajs-server package to version 4.0.3 or later, where the domain validation logic has been fixed.
If upgrading immediately is not possible, consider reviewing and tightening the proxyableDomains configuration to explicitly list only trusted domains and monitor proxy usage closely.
Additionally, audit your server logs for any suspicious proxy requests to domains that should not be allowed and block such requests at the network or application level.