CVE-2026-45012: 
JavaScript Analyse et atténuation des vulnérabilités

CVE-2026-45012 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in ApostropheCMS affecting the rich-text widget import flow. Any authenticated user with permission to submit or edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation via the POST /api/v1/@apostrophecms/area/validate-widget endpoint. The vulnerability affects the apostrophe npm package versions ≤ 4.29.0, with no patched version available as of the advisory publication date. It was published on May 13, 2026, and carries a CVSS v3.1 base score of 7.6 (High) (GitHub Advisory, Apostrophe Advisory).

The root cause is CWE-918 (Server-Side Request Forgery), arising from insufficient validation of user-supplied URLs in the rich-text widget sanitizer. The vulnerable code resides in @apostrophecms/rich-text-widget/index.js, @apostrophecms/area/index.js, and @apostrophecms/widget-type/index.js. When a widget payload containing import.html is submitted, the backend parses image src attributes and resolves them using new URL(src, input.import.baseUrl || self.apos.baseUrl), then performs an unconstrained server-side fetch(url). The fetched body is written to a temporary file and imported through Apostrophe's image/attachment logic, making image-compatible responses persistable and re-hostable by the application (GitHub Advisory, Apostrophe Advisory).

Successful exploitation allows an authenticated attacker to trigger server-side HTTP requests to arbitrary internal or external URLs, including loopback addresses (127.0.0.1) and private subnets, enabling internal service discovery and port enumeration. For image-compatible responses, the fetched content is persisted and re-hosted by Apostrophe, enabling direct exfiltration of internal data through the application's public image API. Non-image responses still result in blind or semi-blind SSRF, useful for reachability checks. The primary impact is high confidentiality loss, with low integrity and availability impact (GitHub Advisory).

1. Authenticate: Obtain a valid bearer token by sending a POST request to /api/v1/@apostrophecms/login/login with valid credentials (any user with rich-text widget edit permissions).

2. Set up a target server: Host a valid PNG file (or any internal service endpoint) at the target URL to be fetched by the server. For internal SSRF, the target can be any internal IP/port (e.g., http://127.0.0.1:7777/secret.png).

3. Craft the malicious payload: Construct a JSON payload for the validate-widget endpoint with type: "@apostrophecms/rich-text" and an import object containing html with an <img src="..."> tag pointing to the target URL, and baseUrl set to the base of the target.

4. Send the exploit request: POST the payload to POST /api/v1/@apostrophecms/area/validate-widget?aposMode=draft with the Authorization: Bearer <token> header. The server will perform a server-side fetch to the attacker-specified URL.

5. Retrieve exfiltrated content: If the response is image-compatible, the API response will include imageIds. Fetch the re-hosted content via /api/v1/@apostrophecms/image/<imageId>/src to retrieve the exfiltrated data from the internal service (GitHub Advisory, Apostrophe Advisory).

• Network: Unexpected outbound HTTP requests from the ApostropheCMS server process to internal IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or unusual external hosts; connections originating from the Node.js process to non-standard ports.
• Logs: Repeated POST requests to /api/v1/@apostrophecms/area/validate-widget?aposMode=draft in web server access logs, especially with varying baseUrl or import.html values containing <img> tags with internal URLs; server-side fetch errors or timeouts logged by the application.
• File System: Unexpected image files written to Apostrophe's temporary upload or attachment directories containing content fetched from internal services rather than user-uploaded images.
• Application: New image records in the Apostrophe database (imageIds) created without corresponding user upload actions, particularly with source URLs pointing to internal network resources (GitHub Advisory).

As of the advisory publication date (May 13–14, 2026), no patched version is available — all apostrophe npm package versions ≤ 4.29.0 are affected. Organizations should monitor the apostrophecms/apostrophe repository for patch releases. In the interim, consider restricting access to the POST /api/v1/@apostrophecms/area/validate-widget endpoint via network-level controls (WAF rules, reverse proxy ACLs), limiting rich-text widget edit permissions to highly trusted users only, and blocking outbound HTTP requests from the ApostropheCMS server to internal network ranges using egress firewall rules (GitHub Advisory, Apostrophe Advisory).

The advisory was published by boutell (a core ApostropheCMS maintainer) on May 13, 2026, and credited reporters yigitsengezer and Sainithin0309. No significant broader media coverage or notable external researcher commentary has been identified at this time (Apostrophe Advisory).