js · nocodbHeads-up
NocoDB spreadsheet-import endpoint SSRF protection added
The spreadsheet-import endpoint `axiosRequestMake` is no longer usable as a generic HTTP proxy.
What changed
The spreadsheet-import endpoint `axiosRequestMake` is no longer usable as a generic HTTP proxy. Three protections added: authentication/authorization guards, extension check on pathname only, and socket-layer destination filtering.
Who it affects
All NocoDB instances that expose the spreadsheet-import endpoint, especially those without authentication or with permissive network access.
What to do today
Update NocoDB to the latest patched version to prevent SSRF attacks via the spreadsheet-import endpoint.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb