CVE-2026-62143
Received Received - Intake

SSRF Protection Bypass in MISP Modules

Vulnerability report for CVE-2026-62143, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges without first normalising IPv4-mapped IPv6 addresses. An authenticated attacker able to invoke the module could supply an IPv4-mapped IPv6 address, such as: http://[::ffff:127.0.0.1]/ http://[::ffff:169.254.169.254]/ Alternatively, the attacker could use a hostname that resolves to an IPv4-mapped IPv6 address. These addresses were treated as IPv6 addresses and therefore did not match the corresponding blocked IPv4 ranges. Successful exploitation could cause the misp-modules server to connect to services available through its loopback interface, internal network, or link-local network. This could expose internal web services, administrative interfaces, or cloud instance metadata, with retrieved content potentially returned to the attacker as converted Markdown. The vulnerability has been addressed by normalising IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying the blocked-range checks. URLs without a valid hostname are now also rejected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
misp-modules misp-modules to 3.0.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) protection bypass in the html_to_markdown expansion module of misp-modules. The module tries to block requests to restricted IP address ranges like loopback, private, and link-local addresses. However, it failed to properly normalize IPv4-mapped IPv6 addresses before checking them against the blocked ranges.

An attacker with authentication can supply an IPv4-mapped IPv6 address or a hostname resolving to such an address, which the module treats as IPv6 and does not block. This allows the attacker to make the server connect to internal services such as loopback interfaces, internal networks, or cloud metadata services, potentially exposing sensitive internal content.

Impact Analysis

Exploitation of this vulnerability can allow an attacker to access internal web services, administrative interfaces, or cloud instance metadata that are normally protected from external access.

The attacker could retrieve sensitive internal information by forcing the server to connect to these restricted resources and return the content as converted Markdown, potentially leading to information disclosure or further attacks within the internal network.

Detection Guidance

Detection of this vulnerability involves identifying attempts to use IPv4-mapped IPv6 addresses or hostnames resolving to such addresses that bypass IP blocking in the misp-modules html_to_markdown expansion module.

You can monitor network traffic or logs for URLs containing IPv4-mapped IPv6 addresses, such as those in the format http://[::ffff:127.0.0.1]/ or http://[::ffff:169.254.169.254]/.

Commands to help detect such activity might include searching logs or network captures for these patterns. For example, using grep on logs:

  • grep -E '\[::ffff:[0-9a-fA-F:.]+\]' /path/to/misp-modules/logs/*
  • tcpdump or Wireshark filters to capture HTTP requests containing IPv4-mapped IPv6 addresses.

Additionally, checking for hostnames that resolve to IPv4-mapped IPv6 addresses can be done by resolving suspicious hostnames and inspecting their IPs.

Mitigation Strategies

Immediate mitigation involves updating the misp-modules to a version that includes the security fix for CVE-2026-62143.

The fix normalizes IPv4-mapped IPv6 addresses to their IPv4 equivalents before applying blocked-range checks and rejects URLs without valid hostnames.

If updating is not immediately possible, consider implementing additional network-level controls to block requests to loopback, private, and link-local IP ranges, including IPv4-mapped IPv6 addresses.

Also, monitor and restrict authenticated users' ability to invoke the vulnerable html_to_markdown expansion module until the patch is applied.

Compliance Impact

This vulnerability allows an authenticated attacker to bypass SSRF protections and access internal services, including administrative interfaces and cloud instance metadata. Such unauthorized access to internal or sensitive data could lead to exposure of confidential information.

Exposure of sensitive or internal data due to this vulnerability could potentially result in non-compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart