Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-rw8p-c6hf-q3pg

HIGH

PinchTab has SSRF with Full Response Exfiltration via Download Handler

Also known asCVE-2026-30834GO-2026-4631
Published
Mar 6, 2026
Updated
Mar 23, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk34th percentile+0.40%
0.00%0.31%0.62%0.92%0.0%0.0%0.0%0.4%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/pinchtab/pinchtab/cmd/pinchtab

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

SSRF with Full Response Exfiltration via Download Handler

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.

Details

The GET /download?url=<url> handler in download.go accepts a user-controlled url parameter and passes it directly to chromedp.Navigate(dlURL) without any validation or sanitization.

// internal/handlers/download.go:78
if err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {
    return fmt.Errorf("navigate to %s: %w", dlURL, err)
}

Since the request is performed by the headless Chrome browser instance managed by PinchTab, it can access:

  1. Local Files: Using the file:// scheme (e.g., file:///etc/passwd).
  2. Internal Services: Accessing services bound to localhost or internal network IPs that are not reachable from the outside.
  3. Cloud Metadata: Accessing cloud provider metadata endpoints (e.g., 169.254.169.254).

The server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.

PoC

To reproduce the vulnerability, ensure the PinchTab server is running and accessible.

  1. Local File Read: Execute the following curl command to read /etc/passwd:

    curl -X GET "http://localhost:9867/download?url=file:///etc/passwd"

  2. Internal Service Access: If a service is running on localhost:8080, access it via:

    curl -X GET "http://localhost:9867/download?url=http://localhost:8080/internal-admin"

The response will contain the content of the targeted file or service.

PoC video:

https://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f

Impact

This is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/pinchtab/pinchtab/cmd/pinchtaball versions0.7.7

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/pinchtab/pinchtab/cmd/pinchtab. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/pinchtab/pinchtab/cmd/pinchtab to 0.7.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rw8p-c6hf-q3pg is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-rw8p-c6hf-q3pg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-rw8p-c6hf-q3pg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

# SSRF with Full Response Exfiltration via Download Handler ### Summary A Server-Side Request Forgery (SSRF) vulnerability in the `/download` endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content. ### Details The `GET /download?url=<url>` handler in [download.go](file:///Users/quan.m.le/Workspaces/pinchtab/internal/handlers/download.go#L78) accepts a user-controlled `url` parameter and passes it directly to `chromedp.Navigate(dlURL)` withou
O3 Security · Impact-Aware SCA

Is GHSA-rw8p-c6hf-q3pg in your dependencies?

O3 detects GHSA-rw8p-c6hf-q3pg across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works