CVE-2026-33975— twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33975
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization
Source: NVD (National Vulnerability Database)
Vulnerability Description
Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Twenty 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Twenty是Twenty开源的一个 CRM 平台。 Twenty 1.18.0及之前版本存在代码问题漏洞,该漏洞源于SSRF保护可被IPv4映射的IPv6地址绕过,Node.js URL解析器将IPv4映射的IPv6地址标准化为压缩十六进制形式,但isPrivateIp工具仅识别点分十进制表示法,导致十六进制形式绕过SSRF检查,可能导致认证用户访问内部IP并窃取IAM密钥等凭据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33975
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33975
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-918
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-42339
New API: SSRF Filter Bypass via 0.0.0.0
V. Comments for CVE-2026-33975
No comments yet