CVE-2026-53607
Deferred Deferred - Pending Action

ApostropheCMS SSRF via Pretty-URL Host Header

Vulnerability report for CVE-2026-53607, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw `Host` HTTP request header. That URL is then `fetch`'ed and the response body + headers are streamed straight back to the requester. Because `Host` is fully attacker-controlled, an unauthenticated remote attacker can pivot the apostrophe process to issue outbound HTTP requests against any host it can reach on the private network. The path component is constrained to `/uploads/attachments/<cuid>-<slug>.<ext>` (built from a local-DB lookup), which keeps the impact narrow: cross-instance data exfiltration is neutralized by cuid uniqueness, but blind-SSRF residuals remain (network-topology mapping via response-code / timing differences and verbose proxy/WAF 404 body disclosure). As of time of publication, no known patched versions exist.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.30.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

ApostropheCMS, an open-source Node.js content management system, has a vulnerability in versions up to and including 4.30.0 when the 'prettyUrls: true' feature is enabled on '@apostrophecms/file'. This feature builds URLs using the raw 'Host' HTTP request header, which is attacker-controlled. The system then fetches the URL and streams the response back to the requester. Because the 'Host' header can be manipulated by an attacker, an unauthenticated remote attacker can cause the ApostropheCMS process to make outbound HTTP requests to any host accessible on the private network.

The vulnerability is limited by the path component, which is constrained to a specific pattern based on local database lookups, preventing cross-instance data exfiltration. However, it still allows blind Server-Side Request Forgery (SSRF) attacks, enabling attackers to map network topology through response codes, timing differences, and detailed error messages.

As of the publication date, no patched versions addressing this vulnerability are known.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to make the ApostropheCMS server send HTTP requests to arbitrary hosts within the private network. This can be used to perform network reconnaissance by mapping internal network topology through response codes and timing analysis.

Although the impact is somewhat limited because the path is constrained and cross-instance data exfiltration is prevented, the attacker can still gain information about internal network structure and potentially exploit other internal services.

The vulnerability has a CVSS base score of 3.7, indicating a low to medium severity impact, with limited confidentiality impact and no integrity or availability impact.

Compliance Impact

The vulnerability allows an unauthenticated remote attacker to make the ApostropheCMS server issue outbound HTTP requests to internal network hosts, potentially enabling network topology mapping and limited data exfiltration across instances.

However, the impact is narrow due to constraints on the requested path and uniqueness of identifiers, which neutralizes cross-instance data exfiltration.

There is no direct information provided about how this vulnerability affects compliance with standards such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the ApostropheCMS server making outbound HTTP requests based on the raw Host header in incoming requests when prettyUrls is enabled. Detection can focus on monitoring outbound HTTP requests from the ApostropheCMS server to unexpected internal or external hosts.

You can check network logs or use network monitoring tools to identify unusual outbound HTTP traffic originating from the ApostropheCMS server.

On the server, you might inspect logs or use commands to monitor outgoing connections, for example:

  • Use tcpdump or tshark to capture outbound HTTP traffic: tcpdump -i <interface> 'tcp dst port 80 or tcp dst port 443'
  • Use netstat or ss to check active outbound connections: netstat -tnp | grep <apostrophecms_process> or ss -tnp | grep <apostrophecms_process>
  • Review web server or application logs for requests with unusual Host headers or unexpected response patterns.
Mitigation Strategies

Since no patched versions are available as of the publication date, immediate mitigation involves configuration changes and network controls.

  • Disable the prettyUrls feature on @apostrophecms/file if it is enabled, to prevent the vulnerable code path from being triggered.
  • Implement network-level restrictions to prevent the ApostropheCMS server from making outbound HTTP requests to unauthorized internal or external hosts.
  • Validate and sanitize the Host header in incoming HTTP requests to prevent attacker-controlled values from influencing upstream URL construction.
  • Monitor logs and network traffic for suspicious activity indicating exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart