Full Report
Part 1: How the Red Agent uncovered a multi-step attack chain allowing SSRF-to-Local-File-Read on a GCP Cloud Run API
Analysis Summary
# Vulnerability: SSRF-to-Local-File-Read in GCP Cloud Run API
## CVE Details
- **CVE ID**: Not specified (The article describes a specific discovery by the "Red Agent" on a production GCP Cloud Run service rather than a named vulnerability in a commercial software product).
- **CVSS Score**: N/A (Likely Critical based on the impact described).
- **CWE**: CWE-918 (Server-Side Request Forgery), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
## Affected Systems
- **Products**: Custom API hosted on GCP Cloud Run.
- **Versions**: Production environment as of June 2026.
- **Configurations**: Applications implementing a `?url=` parameter intended to fetch remote GitHub blobs without sufficient input sanitization or architectural isolation.
## Vulnerability Description
The vulnerability is a multi-step attack chain. The application uses a `?url=` parameter to fetch files from GitHub. While the application implements a validator to ensure the URL matches a specific GitHub structure (`https[:]//github[.]com/{owner}/{repo}/blob/{branch}/{path}`), it fails to properly sanitize the input against path traversal or protocol manipulation.
Detailed reasoning suggests that the backend service likely downloads the requested file to a local temporary directory or processes it using a filesystem-level call. By injecting traversal sequences or exploiting nuances in how the backend handles the validated string, an attacker can trick the service into reading local system files instead of the intended remote GitHub resource.
## Exploitation
- **Status**: Discovered and demonstrated by the Red Agent (Research/PoC available via the Wiz research blog).
- **Complexity**: Medium (Requires bypassing specific URL validation logic).
- **Attack Vector**: Network (Unauthenticated web request).
## Impact
- **Confidentiality**: **High**. The attacker successfully read `/proc/self/environ`, exposing live GCP service-account credentials and application source code.
- **Integrity**: **None** (Read-only access demonstrated).
- **Availability**: **None** (No service disruption reported).
## Remediation
### Patches
- As this was a discovery on a specific service, remediation involves code-level fixes by the developers of that API.
### Workarounds
- **Strict Validation**: Use allow-lists for specific GitHub repositories and branches rather than relying on string-based URL patterns.
- **Protocol Restriction**: Ensure the library used for fetching (e.g., cURL, requests) is restricted to `http` and `https` protocols only, explicitly disabling `file://` or `gopher://`.
- **Identity Security**: Minimize the permissions assigned to the Cloud Run service account (Principle of Least Privilege) to reduce the impact of credential theft.
## Detection
- **Indicators of Compromise**:
- Outbound requests to `http[:]//metadata[.]google[.]internal`.
- Web logs containing traversal sequences (`../`) or local file paths in the `url` parameter.
- Unusual access patterns to service account credentials from unexpected IP addresses.
- **Detection Methods and Tools**: Monitoring for GCP "Access Approved" logs or Cloud Logging for suspicious container activity, such as access to `/proc/self/environ`.
## References
- Wiz Blog: [The Red Agent POV: How it Reasoned its Way to SSRF](https[:]//www[.]wiz[.]io/blog/red-agent-pov-ssrf)
- GCP Security Documentation: [Securing Cloud Run services](https[:]//cloud[.]google[.]com/run/docs/securing/service-identity)