NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
### Summary The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the cloud-metadata endpoint to be reached with a crafted URL. ### Details The extension matcher is now anchored to the end of the path or immediately before the query string (`/\.(xls|xlsx|xlsm|ods|ots)(\?|$)/i` and `/\.(csv)(\?|$)/i`), so `http://169.254.169.254/credentials/.xlsx` no longer satisfies the format gate. The hand-rolled IP blocklist is removed in favour of `useAgent(url)` from `request-filtering-agent`, which blocks private and loopback ranges at the socket layer. ### Impact Authenticated users with editor permission could read cloud metadata and other internal HTTP endpoints reachable from the NocoDB process. On affected installs the spreadsheet import path was a credential-exfiltration primitive on cloud hosts. ### Credit This issue was reported by Devel Group Security Research Team through [@TREXNEGRO](https://github.com/TREXNEGRO). It was independently reported by [@l3tchupkt](https://github.com/l3tchupkt).
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-17 14:06 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.