CVE-2026-59702
Received Received - Intake

Server-Side Request Forgery in Repomix via Git Clone

Vulnerability report for CVE-2026-59702, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers to access private network addresses, GCP metadata services, or local filesystem paths.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
crazyforks repomix to 1.14.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to make arbitrary outbound requests to private network addresses, cloud metadata services, or local filesystem paths. This can lead to unauthorized access to sensitive internal resources or data.

Such unauthorized access risks could potentially lead to exposure of personal or sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict controls over access to sensitive information.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Executive Summary

CVE-2026-59702 is a critical Server-Side Request Forgery (SSRF) vulnerability in the repomix software, specifically in the POST /api/pack endpoint.

This vulnerability occurs because the endpoint does not properly validate URLs (including http://, https://, and file://) before passing them to the git clone command.

As a result, unauthenticated attackers can exploit this flaw to make arbitrary outbound requests from the server, potentially accessing private network addresses, cloud metadata services like Google Cloud Platform (GCP), or even local filesystem paths.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to internal network resources and sensitive data.

  • Attackers can use the vulnerability to access private network addresses that are normally inaccessible from outside.
  • They can retrieve sensitive metadata from cloud services such as GCP, which may include credentials or tokens.
  • The flaw also allows attackers to access local filesystem paths on the server, potentially exposing confidential files.

Overall, this can lead to information disclosure, unauthorized internal network reconnaissance, and potential further exploitation.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing outbound requests made by the repomix server, especially those triggered by the POST /api/pack endpoint. Look for unusual or unauthorized outbound requests to private network addresses, cloud metadata services (such as GCP metadata URLs), or local filesystem paths.

You can use network monitoring tools or packet capture utilities to detect suspicious outbound traffic. For example, using tcpdump or Wireshark to capture HTTP requests originating from the repomix server.

  • tcpdump -i <interface> host <repomix_server_ip> and port 80 or port 443
  • tcpdump -i <interface> src <repomix_server_ip> and dst net 169.254.169.254 (to detect metadata service access)

Additionally, you can check server logs for POST requests to /api/pack with suspicious repository URLs containing protocols like file://, http://, or URLs pointing to internal IP ranges or cloud metadata endpoints.

  • grep "/api/pack" /path/to/repomix/server/logs | grep -E "file://|http://|169.254.169.254|metadata.google.internal"
Mitigation Strategies

The immediate mitigation step is to upgrade repomix to version 1.14.1 or later, where the vulnerability has been fixed.

The fix restricts repository cloning to public HTTPS URLs only, blocking unsafe protocols such as file://, http://, ssh://, and git://, and prevents access to internal or private IP addresses.

If upgrading immediately is not possible, consider implementing network-level controls to block outbound requests from the repomix server to private IP ranges and cloud metadata service IPs.

Also, monitor and restrict access to the POST /api/pack endpoint to trusted users or networks to reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart