We found results for “


Date: February 9, 2022


In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.


ArangoDB is a native multi-model database with flexible data models for documents, graphs, and key-values. Affected versions of ArangoDB are vulnerable to Blind SSRF due to improper filtering of requests performed internally, in the feature which allows downloading Foxx services from a publicly available URL. This can be abused by an authenticated attacker to send internal requests to localhost.
Note: ArangoDB 3.8.x version 3.8.5 and onwards are vulnerable to this issue by default, but can be toggled in the startup options. for further information, see this comment: https://github.com/arangodb/arangodb/pull/15344#issue-1079754008

PoC Details

For demonstration purposes, we will open a netcat listener on the ArangoDB-installed machine, to demonstrate an open local service.
Login as a highly privileged user. Go to Services, Remote, Enter url. Put the Server’s URL with the open netcat port. Set mount point as mnt/hello.
On the netcat listener terminal, we can see that the request was received internally.

Affected Environments

All versions of ArangoDB 3.7; All versions of ArangoDB 3.8 (3.8.5 onwards can be mitigated in startup configuration); ArangoDB 3.9 prior to v3.9.0-beta.1


If you are using ArangoDB 3.8 or earlier - Upgrade to ArangoDB 3.8.5 or later, and be sure to toggle off the `--foxx.allow-install-from-remote` flag on startup configuration, otherwise the application will still be vulnerable.
If you are using ArangoDB 3.9 - Upgrade to 3.9.0-beta.1 or later.

Language: C

Good to know:


Server-Side Request Forgery (SSRF)


Upgrade Version

Upgrade to version v3.9.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: