CVE-2026-25870: DoraCMS UEditor SSRF Vulnerability

CVE-2026-25870 Overview

CVE-2026-25870 is a server-side request forgery (SSRF) vulnerability in DoraCMS version 3.1 and prior. The flaw resides in the UEditor remote image fetch functionality, which accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts and response size limits. Attackers can abuse this behavior to force the server to issue outbound requests to arbitrary hosts, including internal network resources. This enables internal network reconnaissance and denial of service through resource exhaustion. The vulnerability is tracked under CWE-918.

Critical Impact
Unauthenticated attackers can pivot through DoraCMS to scan internal networks and exhaust server resources via uncontrolled outbound requests.

Affected Products

DoraCMS version 3.1
DoraCMS versions prior to 3.1
UEditor remote image fetch component within DoraCMS

Discovery Timeline

2026-02-10 - CVE-2026-25870 published to the National Vulnerability Database (NVD)
2026-04-15 - CVE-2026-25870 last updated in NVD

Technical Details for CVE-2026-25870

Vulnerability Analysis

The vulnerability resides in the UEditor remote image fetch feature inside DoraCMS. UEditor is a rich text editor that supports retrieving remote images by URL, then storing them locally on the server. DoraCMS exposes this fetch endpoint without restricting the destination of outbound requests. An attacker who can reach the editor endpoint can substitute the remote image URL with any internal or external target. The server then issues an HTTP or HTTPS request on the attacker's behalf, returning timing and content signals that disclose internal service availability. Because no response size limits or timeouts are enforced, attackers can also point the fetcher at slow or large endpoints to consume worker threads and memory.

Root Cause

The root cause is missing destination validation in the remote image fetch handler. The application trusts the supplied URL and does not implement an allowlist of permitted hosts or schemes. It does not block requests to loopback addresses, link-local ranges, or RFC1918 private networks. Request timeouts and response size caps are absent, leaving the fetcher exposed to slow-loris style abuse. These omissions map directly to CWE-918: Server-Side Request Forgery.

Attack Vector

Exploitation occurs over the network with no authentication or user interaction required. An attacker sends a crafted request to the UEditor remote image fetch endpoint and supplies a URL targeting an internal host, cloud metadata service, or unresponsive endpoint. The DoraCMS server processes the request and returns observable behavior such as response codes, error messages, or response timing. Attackers iterate through internal IP ranges and ports to map the internal network. The vulnerability is described in detail in the VulnCheck Security Advisory and discussed in the GitHub Issue Discussion.

No verified proof-of-concept code is available. Refer to the linked advisories for technical details on the vulnerable endpoint and request structure.

Detection Methods for CVE-2026-25870

Indicators of Compromise

Outbound HTTP or HTTPS requests originating from the DoraCMS server to internal IP ranges such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16
Requests from the DoraCMS host to cloud metadata endpoints like 169.254.169.254
High volumes of UEditor remote image fetch requests with externally controlled URL parameters
DoraCMS process consuming abnormal CPU, memory, or socket counts due to fetcher backlog

Detection Strategies

Inspect web server access logs for repeated calls to the UEditor remote fetch endpoint with varied URL parameters
Correlate inbound requests to UEditor with subsequent outbound DNS lookups and connections from the application server
Alert on outbound traffic from the CMS server destined to RFC1918 ranges or cloud instance metadata IPs

Monitoring Recommendations

Forward DoraCMS application logs and egress network flows to a centralized analytics platform for correlation
Track baseline outbound destination counts per hour from the CMS server and alert on deviations
Monitor for HTTP error spikes and elevated request latency that may indicate fetcher abuse for denial of service

How to Mitigate CVE-2026-25870

Immediate Actions Required

Restrict access to the UEditor remote image fetch endpoint at the reverse proxy or WAF layer until a patch is applied
Block outbound traffic from the DoraCMS server to internal subnets and cloud metadata services using host or network firewalls
Disable the remote image fetch functionality in UEditor configuration if it is not required by content authors
Audit recent access logs for suspicious URL parameters submitted to the fetcher endpoint

Patch Information

No official vendor patch has been referenced in the advisory data. Operators should monitor the DoraCMS Official Website and the GitHub Issue Discussion for upstream fixes. Apply vendor updates promptly once they become available.

Workarounds

Implement an allowlist of permitted remote image hosts at the application or proxy layer
Force the fetcher through an egress proxy that blocks private IP ranges, loopback, and link-local addresses
Enforce strict request timeouts and maximum response size limits on outbound fetcher connections
Require authentication for any endpoint that triggers server-side URL fetching

bash

# Example iptables rules to block outbound SSRF targets from the CMS host
iptables -A OUTPUT -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -d 169.254.0.0/16 -j REJECT