CVE-2023-27163 Overview
Request-Baskets up to version 1.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the /api/baskets/{name} component. This vulnerability allows attackers to access internal network resources and sensitive information via crafted API requests, potentially enabling reconnaissance of internal infrastructure and pivoting to other attacks.
Critical Impact
Attackers can leverage this SSRF vulnerability to probe internal network services, access sensitive resources behind firewalls, and potentially chain this vulnerability with other exploits for remote code execution.
Affected Products
- rbaskets request_baskets versions up to 1.2.1
- Request-Baskets self-hosted deployments
- Containerized Request-Baskets instances
Discovery Timeline
- 2023-03-31 - CVE-2023-27163 published to NVD
- 2025-02-18 - Last updated in NVD database
Technical Details for CVE-2023-27163
Vulnerability Analysis
The vulnerability exists in Request-Baskets, a web service designed to collect and inspect arbitrary HTTP requests. The SSRF vulnerability in the /api/baskets/{name} endpoint allows attackers to manipulate the server into making requests to arbitrary internal or external destinations.
When creating or configuring a basket, an attacker can specify a forward_url parameter that causes the Request-Baskets server to forward incoming requests to that URL. Because the server does not properly validate or restrict the target URLs, an attacker can direct requests to internal network resources that would otherwise be inaccessible from external networks.
This vulnerability is particularly dangerous because it can be chained with other vulnerabilities. As documented in the Packet Storm RCE Exploit, attackers have used this SSRF to pivot and achieve remote code execution on backend services like Maltrail.
Root Cause
The root cause is insufficient validation of user-supplied URLs in the basket forwarding configuration. The application fails to implement proper URL allowlisting or blocklisting, allowing requests to be forwarded to sensitive internal addresses including localhost, private IP ranges, and cloud metadata endpoints.
Attack Vector
The attack is network-based and requires authenticated access (high privileges) to the Request-Baskets API. An attacker with API access can:
- Create a new basket or modify an existing one via the /api/baskets/{name} endpoint
- Configure the forward_url parameter to point to an internal resource (e.g., http://127.0.0.1:8080/admin)
- Send requests to the basket endpoint, which are then forwarded to the internal target
- Receive responses from internal services that would normally be unreachable
The vulnerability enables reconnaissance of internal network topology, access to internal services, and potential data exfiltration. Proof-of-concept exploits are publicly available in the GitHub PoC repository.
Detection Methods for CVE-2023-27163
Indicators of Compromise
- Unusual outbound requests from the Request-Baskets server to internal IP addresses (e.g., 127.0.0.1, 10.x.x.x, 192.168.x.x)
- API requests to /api/baskets/ endpoints containing forward_url parameters pointing to internal resources
- Requests targeting cloud metadata endpoints (e.g., 169.254.169.254)
- Unexpected traffic patterns from the Request-Baskets service to backend systems
Detection Strategies
- Monitor network traffic for SSRF indicators such as requests to internal IP ranges originating from the Request-Baskets server
- Implement web application firewall (WAF) rules to detect and block suspicious forward_url values in API requests
- Review Request-Baskets logs for basket configurations containing internal or localhost URLs
- Deploy intrusion detection signatures for known CVE-2023-27163 exploitation patterns
Monitoring Recommendations
- Enable detailed logging for all API requests to the /api/baskets/ endpoint
- Set up alerts for any basket configurations that reference internal IP addresses or localhost
- Monitor for anomalous outbound connections from the Request-Baskets service
- Implement network segmentation monitoring to detect unauthorized cross-segment communication
How to Mitigate CVE-2023-27163
Immediate Actions Required
- Upgrade Request-Baskets to a version newer than 1.2.1 if a patched version is available
- Restrict network access to the Request-Baskets instance using firewall rules
- Implement URL validation to block internal IP addresses and sensitive endpoints in forwarding configurations
- Review existing basket configurations for any suspicious forward_url values
Patch Information
The vulnerability affects Request-Baskets up to version 1.2.1. Organizations should check the GitHub Request Baskets repository for the latest releases and security updates. Additionally, review the Packet Storm SSRF Exploit advisory for technical details on the vulnerability.
Workarounds
- Deploy Request-Baskets behind a reverse proxy that validates and restricts forward_url parameters
- Implement network-level controls to prevent the Request-Baskets server from accessing internal resources
- Use allowlisting to restrict forwarding destinations to known-safe external URLs only
- Consider disabling the request forwarding feature entirely if not required for your use case
# Example: iptables rules to restrict Request-Baskets outbound connections
# Block access to internal networks from the Request-Baskets container/service
iptables -A OUTPUT -m owner --uid-owner request-baskets -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner request-baskets -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner request-baskets -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner request-baskets -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner request-baskets -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
