GHSA-h6vv-pcq8-7xm4Medium

NocoDB: Server-Side Request Forgery via Base Migration URL

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations.

Details

The migrate endpoint is restricted to the workspace owner role by ACL. The remaining gaps were (a) protocol validation — the controller now parses body.migrationUrl as a URL and rejects anything whose protocol is not http: or https: — and (b) private destination filtering — the worker already runs through useAgent(targetUrl) from request-filtering-agent, which blocks RFC 1918, loopback, and link-local at the socket layer.

Impact

With the workspace owner role, a malformed URL could be used to coerce the migration worker into reading local files or talking to non-HTTP services; combined with the HTTP-only filter, owner-supplied targets could not reach private ranges.

Credit

This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @Lihfdgjr and [@bugbunny-research (https://github.com/bugbunny-research).

🎯 Affected products1

  • npm/nocodb:<= 0.301.3

🔗 References (2)