Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27818 is a security vulnerability in the TerriaJS-Server, a NodeJS Express server used for building web-based geospatial data explorers. The issue lies in the domain validation logic of the proxy allowlist mechanism, specifically in the proxyableDomains configuration.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the server incorrectly validates domains by checking if a hostname ends with an allowed domain using a substring index check. This flawed logic allows malicious domains that merely contain the allowed domain as a suffix (e.g., "maliciousexample.com" when "example.com" is allowed) to be proxied, even though they are not explicitly permitted.'}, {'type': 'paragraph', 'content': 'The fix, introduced in version 4.0.3, changes the validation to only accept hosts that exactly match an allowed domain or are valid subdomains of it, preventing unauthorized proxying of malicious domains.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a high impact on the integrity of your system. An attacker can exploit the flawed domain validation to proxy unauthorized domains through the TerriaJS server.

By proxying malicious domains, an attacker could misuse or manipulate system data, potentially leading to unauthorized actions or data modification.

The vulnerability does not impact confidentiality or availability, but it allows remote exploitation without any privileges, user interaction, or special conditions, making it relatively easy to exploit.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves a domain validation bypass in the TerriaJS server proxy allowlist mechanism, where domains not explicitly allowed can be proxied due to flawed substring checks.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check the version of the terriajs-server package installed. Versions prior to 4.0.3 are vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerable version include:'}, {'type': 'list_item', 'content': 'Check the installed version via npm: `npm list terriajs-server`'}, {'type': 'list_item', 'content': 'Check the version in your package.json file or lock files (package-lock.json or yarn.lock).'}, {'type': 'list_item', 'content': 'If you have access to the server code, inspect the proxy domain validation logic in `lib/controllers/proxy.js` to see if it uses the vulnerable substring index check instead of the fixed strict equality and suffix check.'}, {'type': 'paragraph', 'content': 'Network detection of exploitation attempts could involve monitoring proxy requests to domains that are not explicitly allowed but contain allowed domains as substrings (e.g., "maliciousexample.com" when "example.com" is allowed).'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the terriajs-server package to version 4.0.3 or later, where the domain validation logic has been fixed.

If upgrading immediately is not possible, consider reviewing and tightening the proxyableDomains configuration to explicitly list only trusted domains and monitor proxy usage closely.

Additionally, audit your server logs for any suspicious proxy requests to domains that should not be allowed and block such requests at the network or application level.

Useful 0 Not Useful 0