A critical security vulnerability, known as CVE-2024-47830, has been identified and patched in Plane , a widely-used open-source project management tool. This vulnerability, rated with a high CVSS score of 9.3 , could enable attackers to exploit server-side requests to unintended locations, potentially leading to unauthorized access to internal services and exposure of sensitive data.
The vulnerability was discovered by security researcher Sim4n6 , who pinpointed the issue in Plane’s image handling configuration. The flaw lies in the server’s remotePatterns setting within the web/next.config.js file, where a misuse of wildcard support permits any hostname to be used when fetching images. Below is a snippet of the vulnerable configuration:
https://plane.so/_next/image?url=https%3A%2F%2F3dj9lr9c.c5.rs%2F%3F%23_next%2Fstatic%2Fmedia%2Fplane-logo-with-text.31443952.png&w=384&q=75
(insert code snippet here)
Attackers can exploit this design flaw to deceive Plane’s server into making requests to arbitrary, potentially malicious locations. In a proof-of-concept (PoC) demonstration by Sim4n6, a payload crafted for Plane’s image processing endpoint could force the server to send a GET request to a deliberately malicious hostname. For instance, using a malformed URL, the vulnerability could be exploited as follows:
(insert proof-of-concept URL here)
This would result in the server sending an unintended response, granting the attacker the ability to interact with internal systems.
The Potential Impact of the Vulnerability
The severity of CVE-2024-47830 lies in its potential consequences:
- Unauthorized Access : Attackers could access internal services normally shielded from the external network.
- Sensitive Data Leakage : Systems containing confidential or sensitive information could be exposed if services are improperly accessed.
- System Manipulation : Attackers could interfere with internal APIs, enabling data tampering or broader system manipulation.
- Port Scanning : Exploiting the SSRF vulnerability, attackers could scan the internal network for open ports, potentially identifying additional weaknesses or vulnerable services.
Affected Versions and Patch
The CVE-2024-47830 vulnerability impacts all versions of Plane prior to v0.23 . The Plane development team responded swiftly by releasing a patch in version v0.23 , which addresses the SSRF flaw by tightening restrictions in the image-handling functionality.
images: {
remotePatterns: [
{
protocol: “https”,
hostname: “**”,
},
],
Mitigation Recommendation
Users of Plane are strongly encouraged to update their installations to version v0.23 or later as soon as possible to mitigate the risk of exploitation. Failing to do so leaves systems exposed to critical risks, including unauthorized access and data leakage.
For more details, consult Plane’s release notes and the official CVE advisory.