CVE-2024-32980 Overview
CVE-2024-32980 is a Server-Side Request Forgery (SSRF) vulnerability in Spin, the developer tool for building and running serverless applications powered by WebAssembly. This vulnerability allows attackers to induce specifically configured Spin applications to make requests to arbitrary hosts by manipulating the Host HTTP header. Applications using self requests without a specified URL authority are susceptible to this attack when certain configuration conditions are met.
Critical Impact
Attackers can exploit this SSRF vulnerability to redirect outbound requests to arbitrary hosts, potentially leading to unauthorized access to internal services, data exfiltration, or further exploitation of internal network resources.
Affected Products
- Spin versions prior to 2.4.3
- Spin applications configured with allow_outbound_hosts containing "self"
- Deployments where routing is based on request URL rather than Host header
Discovery Timeline
- 2024-05-08 - CVE CVE-2024-32980 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-32980
Vulnerability Analysis
This vulnerability falls under CWE-610 (Externally Controlled Reference to a Resource in Another Sphere), manifesting as a Server-Side Request Forgery condition. The issue arises from how Spin resolves the target host for outbound HTTP requests when applications use the self directive in their allow_outbound_hosts configuration.
When a Spin application component makes an outbound request without explicitly specifying the hostname and port in the URL, the runtime relies on contextual information to determine the destination. Under specific deployment conditions, an attacker can manipulate the Host HTTP header to redirect these outbound requests to arbitrary hosts controlled by the attacker.
Root Cause
The root cause stems from the trust relationship between the Spin runtime and the incoming Host header value. When all three vulnerability conditions are met—the deployment environment routes based on URL rather than Host header, the component has allow_outbound_hosts configured with "self", and outbound requests lack explicit hostname/port—the runtime incorrectly uses the attacker-controlled Host header value to determine the destination for self requests. This breaks the security assumption that self requests will only reach the application's own origin.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests with a malicious Host header to a vulnerable Spin application. When the application makes an outbound self request, the manipulated Host header value is used as the destination, allowing the attacker to redirect traffic to arbitrary hosts.
For this attack to succeed, the Spin deployment must route incoming requests based on the URL path rather than the Host header, which is common in certain reverse proxy configurations. The attacker crafts a request with a malicious Host header (e.g., Host: attacker-controlled-server.com), and when the application makes an internal self request without specifying the full URL, it inadvertently connects to the attacker's server instead of the intended local endpoint.
Detection Methods for CVE-2024-32980
Indicators of Compromise
- Unexpected outbound connections from Spin applications to external or unknown hosts
- Anomalous Host header values in incoming requests that don't match the expected application domain
- Log entries showing self requests resolving to unexpected IP addresses or hostnames
Detection Strategies
- Implement network monitoring to detect outbound connections from Spin applications to unexpected destinations
- Enable verbose logging on Spin applications to capture the resolved destination for all outbound requests
- Deploy Web Application Firewall (WAF) rules to detect and block requests with suspicious Host header manipulation
Monitoring Recommendations
- Monitor Spin application logs for discrepancies between incoming request URLs and Host header values
- Implement alerting for outbound requests from Spin applications to IP addresses outside the expected network ranges
- Review reverse proxy and load balancer configurations to ensure proper Host header handling
How to Mitigate CVE-2024-32980
Immediate Actions Required
- Upgrade Spin to version 2.4.3 or later immediately
- Review all Spin application configurations for components using allow_outbound_hosts with "self"
- Audit deployment infrastructure to understand how Host headers are processed by upstream proxies
Patch Information
Fermyon has released Spin version 2.4.3 to address this vulnerability. The fix is documented in the GitHub commit b3db535c9edb72278d4db3a201f0ed214e561354. Organizations should upgrade all Spin deployments to this version or later. For detailed information about the vulnerability, refer to the GitHub Security Advisory GHSA-f3h7-gpjj-wcvh.
Workarounds
- Configure reverse proxies to normalize the Host header to match the expected application domain before forwarding to Spin
- Modify Spin application components to always specify explicit hostname and port in outbound request URLs
- Implement network-level controls to restrict outbound connections from Spin applications to a whitelist of approved destinations
# Configuration example: Nginx reverse proxy to normalize Host header
# Add to server block configuration to override Host header
proxy_set_header Host $server_name;
# Or use a fixed value
proxy_set_header Host your-spin-app.example.com;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
