Skip to main content

Twenty CRM CVE-2026-33975

| EUVDEUVD-2026-27452 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-05 GitHub_M
8.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 05, 2026 - 22:01 vuln.today
CVSS changed
May 05, 2026 - 20:22 NVD
8.3 (HIGH)

DescriptionGitHub Advisory

Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.

AnalysisAI

Server-side request forgery (SSRF) in Twenty CRM allows authenticated users to bypass IP filtering protections and access internal network resources, including cloud metadata endpoints containing IAM credentials. The vulnerability affects versions 1.18.0 and earlier through exploitation of IPv4-mapped IPv6 address normalization inconsistencies in Node.js URL parsing versus the isPrivateIp validation utility. Attackers with low-privilege authenticated access can exfiltrate sensitive credentials from cloud provider metadata services (169.254.169.254). No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis, though the technical details in the GitHub security advisory provide a clear exploitation path.

Technical ContextAI

The vulnerability exists in Twenty CRM's SecureHttpClientService, a component designed to prevent SSRF attacks by validating that user-supplied URLs do not target private IP ranges. The issue stems from an impedance mismatch between Node.js's native URL parser and the custom isPrivateIp validation function. When an attacker provides an IPv4-mapped IPv6 address in URL literal format (e.g., http://[::ffff:169.254.169.254]/), Node.js normalizes this to compressed hexadecimal notation (::ffff:a9fe:a9fe) before validation. The isPrivateIp utility only recognizes IPv4-mapped addresses in dotted-decimal notation (::ffff:169.254.169.254), allowing the hex-encoded private IP to pass validation. Furthermore, Node.js's socket lookup event-intended as a second validation layer-does not fire for IP literal addresses, completely bypassing runtime IP checks. This dual failure enables authenticated users to craft requests to RFC 1918 private networks, link-local addresses (169.254.0.0/16 used by AWS/Azure/GCP metadata services), and localhost. CWE-918 (Server-Side Request Forgery) classification is accurate, as the application makes attacker-controlled HTTP requests without sufficient destination validation.

RemediationAI

Upgrade to Twenty CRM version >1.18.0 once vendor releases patched version addressing GHSA-vrcj-hv2q-c58m (specific fixed version not confirmed in available data-consult https://github.com/twentyhq/twenty/security/advisories/GHSA-vrcj-hv2q-c58m for release announcement). Until patched version is deployed, implement network-layer compensating controls with the following trade-offs: (1) Configure egress firewall rules to block twenty-server processes from accessing 169.254.169.254/32, RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and localhost (127.0.0.0/8, ::1/128)-this prevents metadata service access but may break legitimate integrations requiring internal network communication; (2) If running in AWS, enforce IMDSv2 (requiring PUT request with token) via instance metadata options, which mitigates simple GET-based SSRF but does not eliminate vulnerability if attacker controls HTTP method; (3) Disable or restrict SecureHttpClientService functionality if webhook/external HTTP features are not business-critical-this eliminates attack surface but reduces CRM integration capabilities; (4) Implement application-layer allowlist of permitted destination domains rather than IP-based blocklisting-requires operational overhead to maintain but provides defense-in-depth. Review application logs for requests to IPv6 literal addresses (pattern: http://\[.*\]) as potential exploitation indicators.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-33975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy