CVE-2021-47958 Overview
CVE-2021-47958 is a server-side request forgery (SSRF) vulnerability in CouchCMS 2.2.1. Authenticated attackers can upload malicious Scalable Vector Graphics (SVG) files containing external entity references through the browse.php endpoint. The crafted SVG payloads force the server to issue arbitrary HTTP requests to internal or external resources. This vector enables internal network reconnaissance and access to services not directly exposed to the internet. The weakness is tracked as CWE-918: Server-Side Request Forgery.
Critical Impact
Authenticated attackers can pivot through CouchCMS to reach internal services, cloud metadata endpoints, and other resources reachable from the web server.
Affected Products
- CouchCMS 2.2.1
- Earlier versions sharing the same upload handler in browse.php
- Deployments exposing authenticated administrative upload functionality
Discovery Timeline
- 2026-05-15 - CVE-2021-47958 published to the National Vulnerability Database
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47958
Vulnerability Analysis
The vulnerability resides in the file upload handler exposed by browse.php within CouchCMS 2.2.1. The handler accepts SVG files without sanitizing embedded XML constructs. Because SVG is an Extensible Markup Language (XML) format, parsers may resolve external entity references declared inside the document. When the server processes these references, it issues outbound HTTP requests to attacker-controlled destinations.
An authenticated user with upload privileges can place a crafted SVG containing entity references pointing at internal hosts. The CouchCMS backend then performs the request on the attacker's behalf. This grants visibility into resources behind perimeter controls, including loopback services, intranet applications, and cloud instance metadata endpoints.
For full technical context, see the VulnCheck Advisory on CouchCMS and Exploit-DB #49675.
Root Cause
The root cause is insufficient validation of uploaded SVG content combined with an XML parser configured to resolve external references. CouchCMS treats SVG as a trusted image type and processes it without stripping document type declarations or external entity definitions.
Attack Vector
An authenticated attacker logs into CouchCMS and submits a crafted SVG document through browse.php. The SVG contains XML entity definitions that reference internal URLs. When the server parses the file, it dereferences the entities and issues HTTP requests, returning content or behavior observable to the attacker.
No verified exploit code is reproduced here. Refer to the published proof of concept at Exploit-DB #49675 for technical detail.
Detection Methods for CVE-2021-47958
Indicators of Compromise
- Uploaded SVG files in CouchCMS storage directories containing <!DOCTYPE>, <!ENTITY>, or SYSTEM declarations
- Outbound HTTP requests from the web server to internal IP ranges, 127.0.0.1, or cloud metadata addresses such as 169.254.169.254
- POST requests to browse.php followed by anomalous outbound connections from the CouchCMS process
- Unexpected entries in web server access logs originating from authenticated administrative sessions
Detection Strategies
- Inspect uploaded SVG files for XML external entity (XXE) constructs before they reach the application directory
- Correlate authenticated CouchCMS upload events with outbound network connections initiated by the PHP runtime
- Alert on web application requests that resolve to RFC1918 addresses or instance metadata services
Monitoring Recommendations
- Enable verbose logging on browse.php and retain upload metadata for forensic review
- Monitor egress traffic from web servers and flag connections to internal subnets that should not originate from public-facing services
- Track CouchCMS administrative account activity for atypical upload volumes or off-hours sessions
How to Mitigate CVE-2021-47958
Immediate Actions Required
- Restrict CouchCMS administrative access to trusted users and enforce strong authentication on upload endpoints
- Block SVG uploads at the application or web application firewall layer until a sanitization control is in place
- Apply egress filtering on the CouchCMS host to deny outbound traffic to internal networks and cloud metadata endpoints
- Audit the uploads directory for existing SVG files containing XML entity declarations and remove suspicious artifacts
Patch Information
No official vendor patch is referenced in the available advisory data. Monitor the CouchCMS GitHub Repository for security updates and apply fixes when published.
Workarounds
- Configure the PHP XML parser to disable external entity resolution using libxml_disable_entity_loader(true) or equivalent settings in the runtime
- Strip or reject SVG files containing <!DOCTYPE> and <!ENTITY> declarations using a pre-upload sanitizer
- Serve user-uploaded content from an isolated domain with no network access to internal services
- Place CouchCMS behind a reverse proxy that enforces egress allow-lists for outbound requests
# Configuration example: deny outbound traffic from the web server to internal ranges
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
