Skip to main content

Repomix CVE-2026-59702

| EUVDEUVD-2026-42298 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-08 VulnCheck GHSA-5wj3-m77q-j278
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Unauthenticated network endpoint (PR:N/UI:N/AC:L); SSRF crosses a trust boundary to internal/metadata systems (S:C) with high confidentiality (C:H) and only minor integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 16:19 vuln.today

DescriptionCVE.org

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers to access private network addresses, GCP metadata services, or local filesystem paths.

AnalysisAI

Server-side request forgery in Repomix's hosted API (POST /api/pack) lets unauthenticated remote attackers coerce the server into making arbitrary outbound requests. Because the endpoint passes user-supplied URLs to git clone without validating the http://, https://, or file:// schemes, an attacker can reach internal-only network addresses, cloud metadata endpoints (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate exposed Repomix /api/pack endpoint
Delivery
Send crafted repo URL (metadata/file scheme)
Exploit
Server passes URL to git clone
Execution
Fetch internal service or local file
Impact
Exfiltrate cloud credentials or file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run Repomix in its server/web mode with the POST /api/pack endpoint network-reachable by the attacker; per CVSS PR:N/UI:N/AC:L/AT:N no authentication, no user interaction, and no special preconditions are needed against such a deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N, score 9.2) describes a network-reachable, low-complexity, fully unauthenticated flaw with high confidentiality impact on both the vulnerable system and a subsequent system (SC:H) - consistent with SSRF that pivots to internal services and metadata. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a hosted Repomix instance sends an unauthenticated POST /api/pack request with a repository URL of http://169.254.169.254/computeMetadata/v1/ (GCP metadata) or file:///etc/passwd. Repomix passes the URL to git clone, the server fetches the internal resource, and the attacker recovers cloud credentials or local file contents from the response. …
Remediation Patch available per vendor advisory - an upstream fix commit exists (https://github.com/CrazyForks/repomix/commit/c748b524f41225e7fc6f89ad0084520901a453cf); a released patched version is not independently confirmed from the provided data, so upgrade to the latest Repomix release that incorporates this commit and verify the fix is present. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Apply the latest Repomix security patch to all hosted API instances and notify all users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59702 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy