Full Report
MediaWiki, which is a PHP, claimed to have a deprecated dependency that was an HTTP web server called got. How does this effect MediaWiki? Some submodules were using this. The got library added support for making requests via Unix domain sockets. This was to allow for requests to be made to a local server, similar to localhost. Unix sockets are extremely powerful so filtering should be done by the end user. This support added the unix:/ and http://unix:/ scheme. The latter scheme was borrowed from the npm request library for implementation. The got library was not considering that redirects could occur to Unix sockets. By using a 30X redirect to our own server then sending it to a Unix socket, it would be possible to hit a Unix socket from the request; this is a real bad SSRF vulnerability. Filtering wouldn't work in this case, since the request would redirect anyway. This issue was present in the request framework as well. How would somebody exploit this? Hitting a locally running unix socket. A common unix socket would be the Docker socket. This can be used for creating and kill containers, getting logs and much more. Overall, interesting dive down the dependency rabbit hole and a trip down how hard URL are to handle in the modern web.
Analysis Summary
# Vulnerability: SSRF via Redirect to Unix Domain Sockets in 'got' Library
## CVE Details
- **CVE ID:** CVE-2022–33987
- **CVSS Score:** 9.1 (Critical) - *Note: Based on typical SSRF with local socket access; specific score stems from GHSA-pfrx-2q88-qq97.*
- **CWE:** CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:**
- `got` (Node.js HTTP request library)
- `request` (Deprecated Node.js library, inherited the same flaw)
- **Downstream MediaWiki Submodules:** `skins/MinervaNeue`, `extensions/Math`, `extensions/AbuseFilter`.
- **Versions:**
- `got` versions < 11.8.5
- All versions of the deprecated `request` library.
- **Configurations:** Systems where the application accepts user-provided URLs and uses a vulnerable version of `got` or `request` to fetch them, especially if the server has local Unix sockets (e.g., Docker) accessible to the process.
## Vulnerability Description
The vulnerability exists because the `got` library supports making requests via Unix domain sockets using the `unix:/` and `http://unix:/` schemes. While these schemes allow legitimate local IPC (Inter-Process Communication), the library failed to restrict redirects to these schemes.
A malicious actor can provide a URL pointing to a server they control. When the vulnerable application requests that URL, the attacker's server responds with a **30X redirect** to a local Unix socket (e.g., `http://unix:/var/run/docker.sock:/containers/json`). Because `got` handles redirects automatically and did not validate the destination scheme, it follows the redirect into the local Unix socket, bypassing traditional URL filters implemented by the developer.
## Exploitation
- **Status:** PoC concepts available; high risk for applications interfacing with user-provided URLs.
- **Complexity:** Low (requires simple HTTP redirect control).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Access to local internal files, Docker logs, and container metadata).
- **Integrity:** High (Ability to create/kill Docker containers or interact with local services).
- **Availability:** High (Potential for service disruption via local socket commands).
## Remediation
### Patches
- **Got Library:** Update to version **11.8.5** or higher (or the latest version in your specific major release branch).
- **MediaWiki:** Update to the latest security release (specifically those addressing the Phabricator ticket T311360).
### Workarounds
- Implement strict allow-lists for request protocols (e.g., allow only `http:` and `https:`).
- Use the `got-ssrf` wrapper library which attempts to resolve and validate hostnames before requesting.
- Disable automatic redirection in the library configuration if business logic allows.
## Detection
- **Indicators of Compromise:** Unusual log entries showing `unix:/` or `http://unix:/` strings in destination URLs. Traffic patterns showing the application server attempting to connect to its own local socket paths.
- **Detection Methods:** Audit `package-lock.json` files for vulnerable versions of `got` or the deprecated `request` library. Inspect outbound HTTP traffic for 301/302 redirects pointing to Unix schemes.
## References
- **Vendor Advisory:** [GHSA-pfrx-2q88-qq97](https://github.com/advisories/GHSA-pfrx-2q88-qq97)
- **MediaWiki Phabricator:** [T311360](https://phabricator.wikimedia.org/T311360)
- **Vulnerability Research:** [itnext[.]io/a-deep-dive-of-cve-2022-33987-got-allows-a-redirect-to-a-unix-socket-cdeed53944f7](https://itnext.io/a-deep-dive-of-cve-2022-33987-got-allows-a-redirect-to-a-unix-socket-cdeed53944f7)