Post

EspoCRM 9.3.3 - SSRF Vulnerability Discovered

Posted
By ictsec.pl
1 min read
EspoCRM 9.3.3 - SSRF Vulnerability Discovered

EspoCRM 9.3.3 - SSRF Vulnerability 🚨

An authenticated Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-33534, has been reported in EspoCRM version 9.3.3. This vulnerability, titled “EspoCRM 9.3.3 - Authenticated SSRF via Alternative IPv4 Notation,” was discovered by Max Gabriel. An advisory detailing this vulnerability is available at GitHub Advisory.

Vulnerability Details 🔍

The authenticated SSRF verification exploit leverages multiple encoded loopback payloads to bypass security controls. Specifically, the vulnerability resides in the /api/v1/Attachment/fromImageUrl endpoint, which processes a payload containing the url, field, and parentType parameters. The exploit utilizes a variety of alternative IPv4 notations to access internal resources, including:

  • ‘octal dotted’ (0177.0.0.1)
  • ‘octal dotted padded’ (0177.0000.0000.0001)
  • ‘octal compressed’ (0177.1)
  • ‘hex dotted’ (0x7f.0.0.1)
  • ‘hex dotted full’ (0x7f.0x0.0x0.0x1)
  • ‘hex dword’ (0x7f000001)
  • ‘decimal dword’ (2130706433)
  • ‘octal dword’ (017700000001)
  • ‘short IPv4 two-part’ (127.1)
  • ‘short IPv4 three-part’ (127.0.1)
  • ‘zero-padded dotted’ (127.000.000.001)
  • ‘long zero-padded octal’ (0000000000000000000000000177.0.0.1)

Proof of Concept 🛠️

To confirm the vulnerable behavior, a proof-of-concept (PoC) attempts to ‘self-fetch’ an internal loopback URL, such as 127.0.0.1, targeting a path like /client/img/logo-light.svg on a specified internal port. The exploit first establishes a control response from a direct 127.0.0.1 request, expecting it to be blocked with HTTP 403; if not, the results may not fully prove CVE-2026-33534. A successful bypass is indicated when the response status code is 200 and the system returns a JSON object confirming a new attachment with an ‘id’, ‘type’, and ‘size’. Vulnerable behavior is confirmed when an encoded loopback payload successfully produces an attachment, circumventing internal network restrictions that normally block direct loopback access.

For more details, you can read the complete article here: Read full article.

SECURITY
ESPOCRM SSRF VULNERABILITY CVE-2026-33534
This post is licensed under CC BY 4.0 by the author.