{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27818", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.799Z", "datePublished": "2026-02-26T00:02:45.127Z", "dateUpdated": "2026-02-26T15:16:30.580Z"}, "containers": {"cna": {"title": "TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/TerriaJS/terriajs-server/security/advisories/GHSA-w789-49fc-v8hr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TerriaJS/terriajs-server/security/advisories/GHSA-w789-49fc-v8hr"}, {"name": "https://github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe7d8673c913f", "tags": ["x_refsource_MISC"], "url": "https://github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe7d8673c913f"}], "affected": [{"vendor": "TerriaJS", "product": "terriajs-server", "versions": [{"version": "< 4.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:02:45.127Z"}, "descriptions": [{"lang": "en", "value": "TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes the issue."}], "source": {"advisory": "GHSA-w789-49fc-v8hr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:16:18.815543Z", "id": "CVE-2026-27818", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:16:30.580Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27818", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T15:16:18.815543Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:16:24.616Z"}}], "cna": {"title": "TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist", "source": {"advisory": "GHSA-w789-49fc-v8hr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "TerriaJS", "product": "terriajs-server", "versions": [{"status": "affected", "version": "< 4.0.3"}]}], "references": [{"url": "https://github.com/TerriaJS/terriajs-server/security/advisories/GHSA-w789-49fc-v8hr", "name": "https://github.com/TerriaJS/terriajs-server/security/advisories/GHSA-w789-49fc-v8hr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe7d8673c913f", "name": "https://github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe7d8673c913f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:02:45.127Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27818", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:16:30.580Z", "dateReserved": "2026-02-24T02:32:39.799Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T00:02:45.127Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:terria:terriajs-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5F06F22F-B847-4FB2-96C4-F4D83A704CC9", "versionEndExcluding": "4.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes the issue."}, {"lang": "es", "value": "TerriaJS-Server es un servidor NodeJS Express para TerriaJS, una biblioteca para construir exploradores de datos geoespaciales basados en la web. Un error de validaci\u00f3n en versiones anteriores a la 4.0.3 permite a un atacante hacer proxy de dominios no permitidos expl\u00edcitamente en la configuraci\u00f3n 'proxyableDomains'. La versi\u00f3n 4.0.3 soluciona el problema."}], "id": "CVE-2026-27818", "lastModified": "2026-03-04T21:12:51.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T00:16:26.653", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe7d8673c913f"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/TerriaJS/terriajs-server/security/advisories/GHSA-w789-49fc-v8hr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "terriajs-server", "source": "cna", "vendor": "TerriaJS"}, "product": "terriajs-server", "vendor": "terriajs"}], "analysis": {"en": {"generated_at": "2026-04-18T19:35:20.070005+00:00", "value": {"mitigation_remediation": ["Upgrade TerriaJS-Server to version 4.0.3 or later, which corrects the allowlist validation bug.", "If upgrading immediately is not possible, disable the proxy feature or remove all proxyableDomains configuration to prevent any external requests from being forwarded.", "Configure network or application firewall rules to restrict outbound requests from the server to only trusted domains, adding an extra layer of isolation against inadvertent proxy use."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized proxy of arbitrary domains"}, "threat_synthesis": {"affected_systems": "The vulnerable product is TerriaJS-Server, the Node.js Express application used to provide a proxy service for TerriaJS. All releases earlier than version\u202f4.0.3 are affected. Deployments that enable the proxy feature and configure any proxyableDomains list are vulnerable, regardless of user authentication or network restrictions.", "description_and_impact": "TerriaJS-Server, a Node.js Express application that powers the TerriaJS geospatial library, implements a proxy endpoint that forwards external HTTP requests after validating the destination domain against a configured allowlist (proxyableDomains). A flaw in that validation logic lets an attacker specify a target domain that is not in the allowlist and still have the request proxied. This bypass allows the attacker to retrieve data from any remote domain, potentially exfiltrating sensitive data or delivering malicious content to users.\n\nThe vulnerability exists in all releases prior to version\u202f4.0.3 and affects any deployment that enables the proxy feature. The flaw is not mitigated by user authentication; any client that can reach the /proxy endpoint can exercise the bug. While the EPSS score of <\u202f1\u202f% indicates a low current exploitation probability, the danger remains high because the flaw can be triggered without any prerequisites.\n\nWith a CVSS base score of\u202f8.7 the issue is classified as high severity, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers can exploit it by crafting an HTTP request to /proxy with an arbitrary target domain, resulting in the server forwarding the request. The potential impact includes data leakage, injection of malicious payloads into users, or, if internal networks are reachable, indirect access to internal resources.", "risk_and_exploitability": "The CVSS base score of\u202f8.7 indicates high severity. The EPSS score is below\u202f1\u202f%, suggesting a low but nonzero likelihood of current exploitation. The vulnerability is not yet catalogued in the CISA KEV list. Attackers can remotely target the /proxy endpoint from any network that can reach the server, bypassing the domain allowlist and allowing unrestricted outbound HTTP requests. The exploitation requires only knowledge of the endpoint; no authentication is needed, making the risk readily exploitable."}}}}, "created": "2026-02-26T13:10:26.687162+00:00", "updated": "2026-04-18T19:45:08.960815+00:00", "vendors": ["terriajs", "terriajs$PRODUCT$terriajs-server"]}