CVE-2022-24825: 
vulnerability analysis and mitigation

Smokescreen is a simple HTTP proxy designed to prevent server-side request forgery (SSRF) attacks by controlling access to URLs. A vulnerability (CVE-2022-24825) was discovered that allowed attackers to bypass the deny list feature by either appending a dot to the end of user-supplied URLs or by providing input in a different letter case. The vulnerability was disclosed on April 19, 2022, affecting Smokescreen versions prior to 0.0.3 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, while GitHub assessed it at 5.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability could allow attackers to bypass Smokescreen's URL deny list protection mechanism, potentially enabling unauthorized access to blocked URLs. This bypass could lead to successful SSRF attacks against internal infrastructure that should have been protected by the proxy (GitHub Advisory).

Users should upgrade Smokescreen to version 0.0.3 or later to address this vulnerability. This version includes fixes for the deny list bypass issues (GitHub Advisory).

The vulnerability was responsibly disclosed by security researcher Grzegorz Niedziela. Stripe's security team acknowledged the finding and addressed it through a security advisory (GitHub Advisory).