Skip to main content

FUXA CVE-2026-47719

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-08 https://github.com/frangoteam/FUXA GHSA-w86f-rf9w-h3x6
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 23:34 vuln.today
Analysis Generated
Jun 08, 2026 - 23:34 vuln.today
CVE Published
Jun 08, 2026 - 23:06 nvd
HIGH 8.2

DescriptionGitHub Advisory

Summary

An unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a device-webapi-request event whose property.address field names an arbitrary URL. FUXA's DEVICE_WEBAPI_REQUEST handler at server/runtime/index.js:296 calls axios.get(address) server-side and broadcasts the full response body back on the same event via io.emit. The companion handler DEVICE_PROPERTY at server/runtime/index.js:153 has the same miss against OPC UA and ODBC endpoints. Both handlers skip the isSocketWriteAuthorized() check that the other write-capable events (DEVICE_VALUES at line 182, DEVICE_ENABLE at line 358) call. Alice reads cloud instance metadata, scans internal services, and connects to any OPC UA server or ODBC database the FUXA host can reach, then receives the results.

Details

Vulnerable handlers: server/runtime/index.js:153-171, 296-316:

javascript
socket.on(Events.IoEventTypes.DEVICE_PROPERTY, (message) => {
    try {
        if (message && message.endpoint && message.type) {
            devices.getSupportedProperty(message.endpoint, message.type).then(result => {
                message.result = result;
                io.emit(Events.IoEventTypes.DEVICE_PROPERTY, message);
            })
            // ...
        }
    }
    // ...
});

socket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) => {
    try {
        if (message && message.property) {
            devices.getRequestResult(message.property).then(result => {
                message.result = result;
                io.emit(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, message);
            })
            // ...
        }
    }
    // ...
});

Sink: server/runtime/devices/httprequest/index.js:471 for the webapi path:

javascript
if (property.method === 'GET') {
    axios.get(property.address).then(res => {
        resolve(res.data);
    // ...

Alice fully controls property.address, and io.emit echoes the response body back on the same event. For the ODBC variant, server/runtime/devices/odbc/index.js builds the connection string from endpoint.address plus endpoint.uid and endpoint.pwd, so Alice supplies credentials and targets any reachable ODBC server.

Contrast: server/runtime/index.js:182 (the DEVICE_VALUES write handler) gates the exact same kind of action behind isSocketWriteAuthorized(socket). The two handlers above skip that check.

Reachability: neither handler performs any authorization check, so both modes reach the sinks. secureEnabled=true does not close the gap because the Socket.IO connect block at server/runtime/index.js:114-120 auto-issues a guest token to any client that connects without one, and the handlers run regardless of socket.isAuthenticated. This is the same pattern GHSA-vwcg-c828-9822's note warned about: enabling authentication does not mitigate the missing check here.

Impact

Alice uses FUXA as a read-SSRF oracle against any HTTP(S) service the FUXA host can reach, with the response body delivered back to her Socket.IO session. On cloud-hosted SCADA deployments this exfiltrates IAM credentials from the instance metadata service. On OT networks it reaches internal OPC UA servers, ODBC databases, and administrative consoles that have no other external exposure. The ODBC variant accepts attacker-supplied credentials, so Alice authenticates to any ODBC server that trusts connections from the FUXA host. The attack works against secureEnabled=true deployments as well as the default; no operator interaction required.

CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (High, 8.2). CWE-918.

Recommended Fix

Add the existing isSocketWriteAuthorized(socket) check at the top of both handlers, matching the pattern used by DEVICE_VALUES and DEVICE_ENABLE. Also switch io.emit to socket.emit so the response scopes to the requesting socket instead of broadcasting to every connected client. For defense in depth, validate property.address against an allowlist of schemes and reject private, loopback, and link-local address ranges before calling axios.get or the device connect paths.

javascript
socket.on(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, (message) => {
    try {
        if (!isSocketWriteAuthorized(socket)) {
            logger.warn(`${Events.IoEventTypes.DEVICE_WEBAPI_REQUEST}: unauthorized request from ${socket.userId || 'guest'}`);
            return;
        }
        if (message && message.property) {
            // ... validate property.address against allowlist ...
            devices.getRequestResult(message.property).then(result => {
                message.result = result;
                socket.emit(Events.IoEventTypes.DEVICE_WEBAPI_REQUEST, message);
            })
            // ...
        }
    }
    // ...
});

Apply the same three changes (auth check, socket.emit, address validation) to DEVICE_PROPERTY.

--- A fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.

--- *Found by aisafe.io*

AnalysisAI

Server-side request forgery in FUXA SCADA/HMI server (npm package fuxa-server <= 1.1.14-1243) allows unauthenticated remote attackers to connect to the Socket.IO endpoint and coerce the server to issue arbitrary HTTP(S), OPC UA, or ODBC requests with response bodies echoed back to the caller. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-w86f-rf9w-h3x6 provides full handler-level reproduction details and the fix is shipped in release v1.3.2.

Technical ContextAI

FUXA is an open-source Node.js-based SCADA/HMI/IoT gateway that exposes a Socket.IO control plane on its runtime server. The root cause is CWE-918 (SSRF): two Socket.IO event handlers - DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY in server/runtime/index.js - invoke device drivers (axios.get for HTTP, plus OPC UA and ODBC clients) using an attacker-controlled property.address, then broadcast the raw response via io.emit. Unlike sibling write-capable handlers DEVICE_VALUES (line 182) and DEVICE_ENABLE (line 358), these two omit the isSocketWriteAuthorized() gate. The Socket.IO connect block at lines 114-120 also auto-issues a guest token to unauthenticated clients, so enabling secureEnabled=true does not close the gap - the same pattern noted in prior advisory GHSA-vwcg-c828-9822. Affected CPE is pkg:npm/fuxa-server.

RemediationAI

Vendor-released patch: upgrade to FUXA v1.3.2 (https://github.com/frangoteam/FUXA/releases/tag/v1.3.2), whose security notes explicitly list 'Unauthenticated SSRF via Socket.IO (#2344)' as fixed; the advisory at https://github.com/frangoteam/FUXA/security/advisories/GHSA-w86f-rf9w-h3x6 is the authoritative reference. If upgrade is delayed, restrict network reach to the Socket.IO listener (typically the same port as the FUXA HTTP server) so only trusted operator subnets can connect - note this breaks any legitimate remote HMI clients. As an in-code workaround, add the existing isSocketWriteAuthorized(socket) check at the top of both DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY handlers, switch io.emit to socket.emit so responses do not broadcast to every connected client, and validate property.address against a scheme allowlist that rejects private, loopback, link-local, and cloud-metadata ranges (169.254.169.254, fd00::/8, 127.0.0.0/8, 10/8, 172.16/12, 192.168/16) - this will also block legitimate intranet device polling, so the allowlist must enumerate real device IPs. On cloud deployments, enforce IMDSv2 (or the GCP/Azure equivalent) so a blind GET against the metadata endpoint cannot trivially return credentials.

Share

CVE-2026-47719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy