GHSA-W86F-RF9W-H3X6

Vulnerability from github – Published: 2026-06-08 23:06 – Updated: 2026-06-08 23:06
VLAI
Summary
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading
Details

Summary

An unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a device-webapi-request event whose property.address field names an arbitrary URL. FUXA's DEVICE_WEBAPI_REQUEST handler at server/runtime/index.js:296 calls axios.get(address) server-side and broadcasts the full response body back on the same event via io.emit. The companion handler DEVICE_PROPERTY at server/runtime/index.js:153 has the same miss against OPC UA and ODBC endpoints. Both handlers skip the isSocketWriteAuthorized() check that the other write-capable events (DEVICE_VALUES at line 182, DEVICE_ENABLE at line 358) call. Alice reads cloud instance metadata, scans internal services, and connects to any OPC UA server or ODBC database the FUXA host can reach, then receives the results.

Details

Vulnerable handlers: server/runtime/index.js:153-171, 296-316:

socket.on(Events.IoEventTypes.DEVICE_PROPERTY, (message) => {
    try {
        if (message && message.endpoint && message.type) {
            devices.getSupportedProperty(message.endpoint, message.type).then(result => {
                message.result = result;
                io.emit(Events.IoEventTypes.DEVICE_PROPERTY, message);
            })
            // ...
        }
    }
    // ...
});

socket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) => {
    try {
        if (message && message.property) {
            devices.getRequestResult(message.property).then(result => {
                message.result = result;
                io.emit(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, message);
            })
            // ...
        }
    }
    // ...
});

Sink: server/runtime/devices/httprequest/index.js:471 for the webapi path:

if (property.method === 'GET') {
    axios.get(property.address).then(res => {
        resolve(res.data);
    // ...

Alice fully controls property.address, and io.emit echoes the response body back on the same event. For the ODBC variant, server/runtime/devices/odbc/index.js builds the connection string from endpoint.address plus endpoint.uid and endpoint.pwd, so Alice supplies credentials and targets any reachable ODBC server.

Contrast: server/runtime/index.js:182 (the DEVICE_VALUES write handler) gates the exact same kind of action behind isSocketWriteAuthorized(socket). The two handlers above skip that check.

Reachability: neither handler performs any authorization check, so both modes reach the sinks. secureEnabled=true does not close the gap because the Socket.IO connect block at server/runtime/index.js:114-120 auto-issues a guest token to any client that connects without one, and the handlers run regardless of socket.isAuthenticated. This is the same pattern GHSA-vwcg-c828-9822's note warned about: enabling authentication does not mitigate the missing check here.

Impact

Alice uses FUXA as a read-SSRF oracle against any HTTP(S) service the FUXA host can reach, with the response body delivered back to her Socket.IO session. On cloud-hosted SCADA deployments this exfiltrates IAM credentials from the instance metadata service. On OT networks it reaches internal OPC UA servers, ODBC databases, and administrative consoles that have no other external exposure. The ODBC variant accepts attacker-supplied credentials, so Alice authenticates to any ODBC server that trusts connections from the FUXA host. The attack works against secureEnabled=true deployments as well as the default; no operator interaction required.

CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (High, 8.2). CWE-918.

Recommended Fix

Add the existing isSocketWriteAuthorized(socket) check at the top of both handlers, matching the pattern used by DEVICE_VALUES and DEVICE_ENABLE. Also switch io.emit to socket.emit so the response scopes to the requesting socket instead of broadcasting to every connected client. For defense in depth, validate property.address against an allowlist of schemes and reject private, loopback, and link-local address ranges before calling axios.get or the device connect paths.

socket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) => {
    try {
        if (!isSocketWriteAuthorized(socket)) {
            logger.warn(`${Events.IoEventTypes.DEVICE_WEBAPI_REQUEST}: unauthorized request from ${socket.userId || 'guest'}`);
            return;
        }
        if (message && message.property) {
            // ... validate property.address against allowlist ...
            devices.getRequestResult(message.property).then(result => {
                message.result = result;
                socket.emit(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, message);
            })
            // ...
        }
    }
    // ...
});

Apply the same three changes (auth check, socket.emit, address validation) to DEVICE_PROPERTY.


A fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.


Found by aisafe.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fuxa-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.14-1243"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-08T23:06:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAn unauthenticated attacker (Alice) connects to FUXA\u0027s Socket.IO endpoint and emits a `device-webapi-request` event whose `property.address` field names an arbitrary URL. FUXA\u0027s `DEVICE_WEBAPI_REQUEST` handler at `server/runtime/index.js:296` calls `axios.get(address)` server-side and broadcasts the full response body back on the same event via `io.emit`. The companion handler `DEVICE_PROPERTY` at `server/runtime/index.js:153` has the same miss against OPC UA and ODBC endpoints. Both handlers skip the `isSocketWriteAuthorized()` check that the other write-capable events (`DEVICE_VALUES` at line 182, `DEVICE_ENABLE` at line 358) call. Alice reads cloud instance metadata, scans internal services, and connects to any OPC UA server or ODBC database the FUXA host can reach, then receives the results.\n\n## Details\n\n**Vulnerable handlers**: `server/runtime/index.js:153-171, 296-316`:\n\n```javascript\nsocket.on(Events.IoEventTypes.DEVICE_PROPERTY, (message) =\u003e {\n    try {\n        if (message \u0026\u0026 message.endpoint \u0026\u0026 message.type) {\n            devices.getSupportedProperty(message.endpoint, message.type).then(result =\u003e {\n                message.result = result;\n                io.emit(Events.IoEventTypes.DEVICE_PROPERTY, message);\n            })\n            // ...\n        }\n    }\n    // ...\n});\n\nsocket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) =\u003e {\n    try {\n        if (message \u0026\u0026 message.property) {\n            devices.getRequestResult(message.property).then(result =\u003e {\n                message.result = result;\n                io.emit(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, message);\n            })\n            // ...\n        }\n    }\n    // ...\n});\n```\n\n**Sink**: `server/runtime/devices/httprequest/index.js:471` for the webapi path:\n\n```javascript\nif (property.method === \u0027GET\u0027) {\n    axios.get(property.address).then(res =\u003e {\n        resolve(res.data);\n    // ...\n```\n\nAlice fully controls `property.address`, and `io.emit` echoes the response body back on the same event. For the ODBC variant, `server/runtime/devices/odbc/index.js` builds the connection string from `endpoint.address` plus `endpoint.uid` and `endpoint.pwd`, so Alice supplies credentials and targets any reachable ODBC server.\n\n**Contrast**: `server/runtime/index.js:182` (the DEVICE_VALUES write handler) gates the exact same kind of action behind `isSocketWriteAuthorized(socket)`. The two handlers above skip that check.\n\nReachability: neither handler performs any authorization check, so both modes reach the sinks. `secureEnabled=true` does not close the gap because the Socket.IO connect block at `server/runtime/index.js:114-120` auto-issues a guest token to any client that connects without one, and the handlers run regardless of `socket.isAuthenticated`. This is the same pattern GHSA-vwcg-c828-9822\u0027s note warned about: enabling authentication does not mitigate the missing check here.\n\n\n## Impact\n\nAlice uses FUXA as a read-SSRF oracle against any HTTP(S) service the FUXA host can reach, with the response body delivered back to her Socket.IO session. On cloud-hosted SCADA deployments this exfiltrates IAM credentials from the instance metadata service. On OT networks it reaches internal OPC UA servers, ODBC databases, and administrative consoles that have no other external exposure. The ODBC variant accepts attacker-supplied credentials, so Alice authenticates to any ODBC server that trusts connections from the FUXA host. The attack works against `secureEnabled=true` deployments as well as the default; no operator interaction required.\n\n**CVSS 3.1**: `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N` (High, 8.2). CWE-918.\n\n## Recommended Fix\n\nAdd the existing `isSocketWriteAuthorized(socket)` check at the top of both handlers, matching the pattern used by `DEVICE_VALUES` and `DEVICE_ENABLE`. Also switch `io.emit` to `socket.emit` so the response scopes to the requesting socket instead of broadcasting to every connected client. For defense in depth, validate `property.address` against an allowlist of schemes and reject private, loopback, and link-local address ranges before calling `axios.get` or the device connect paths.\n\n```javascript\nsocket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) =\u003e {\n    try {\n        if (!isSocketWriteAuthorized(socket)) {\n            logger.warn(`${Events.IoEventTypes.DEVICE_WEBAPI_REQUEST}: unauthorized request from ${socket.userId || \u0027guest\u0027}`);\n            return;\n        }\n        if (message \u0026\u0026 message.property) {\n            // ... validate property.address against allowlist ...\n            devices.getRequestResult(message.property).then(result =\u003e {\n                message.result = result;\n                socket.emit(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, message);\n            })\n            // ...\n        }\n    }\n    // ...\n});\n```\n\nApply the same three changes (auth check, `socket.emit`, address validation) to `DEVICE_PROPERTY`.\n\n---\nA fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-w86f-rf9w-h3x6",
  "modified": "2026-06-08T23:06:40Z",
  "published": "2026-06-08T23:06:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-w86f-rf9w-h3x6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frangoteam/FUXA"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…