CVE-2026-27818 Overview
CVE-2026-27818 is an Input Validation Error vulnerability affecting TerriaJS-Server, a NodeJS Express server for TerriaJS—a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the proxyableDomains configuration, effectively bypassing the domain allowlist security control.
Critical Impact
Attackers can abuse the proxy functionality to access unauthorized domains, potentially enabling Server-Side Request Forgery (SSRF) attacks, data exfiltration, or bypassing network security controls through the vulnerable TerriaJS-Server instance.
Affected Products
- TerriaJS-Server versions prior to 4.0.3
- NodeJS Express deployments using TerriaJS-Server proxy functionality
- Web-based geospatial data explorer applications built with TerriaJS
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27818 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27818
Vulnerability Analysis
The vulnerability exists in the proxy domain validation logic within lib/controllers/proxy.js. The original implementation used a flawed string matching approach to verify whether a requested host was within the list of allowed proxy domains. The vulnerable code relied on indexOf() with a suffix check that only validated if the proxyable domain appeared at the end of the host string, without ensuring proper domain boundary validation.
This implementation flaw allows an attacker to craft malicious hostnames that pass the validation check despite not being legitimate subdomains of allowed domains. For example, if example.com is in the allowlist, an attacker could potentially request maliciousexample.com and bypass the restriction, since the string example.com appears at the end of the attacker-controlled hostname.
Root Cause
The root cause is improper input validation (CWE-20) in the domain matching logic. The original validation used substring matching with indexOf() rather than proper domain boundary checking. This approach fails to account for domain boundaries (the period separator between domain labels), allowing suffix-based domain spoofing attacks.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can send specially crafted proxy requests to the TerriaJS-Server with malicious hostnames designed to pass the flawed validation. The attacker constructs a hostname that ends with an allowed domain string but is not actually a subdomain of that domain. When the server processes the request, it incorrectly validates the malicious domain as allowed and proxies the request, potentially exposing internal resources or enabling SSRF attacks.
// Security patch in lib/controllers/proxy.js
// Source: https://github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe7d8673c913f
host = host.toLowerCase();
//check that host is from one of these domains
for (var i = 0; i < proxyDomains.length; i++) {
+ const domainLower = proxyDomains[i].toLowerCase();
if (
- host.indexOf(proxyDomains[i], host.length - proxyDomains[i].length) !==
- -1
+ host === domainLower || host.endsWith("." + domainLower)
) {
return true;
}
The fix ensures that the host must either exactly match an allowed domain or be a proper subdomain (prefixed with a period) of an allowed domain, preventing suffix-based bypass attacks.
Detection Methods for CVE-2026-27818
Indicators of Compromise
- Proxy requests to domains not explicitly configured in proxyableDomains
- Unusual outbound network traffic from the TerriaJS-Server to unexpected external hosts
- Log entries showing proxy requests with hostnames that share suffixes with allowed domains but are not legitimate subdomains
Detection Strategies
- Monitor proxy request logs for domains that end with allowed domain strings but lack proper subdomain prefixes
- Implement network-level monitoring for outbound connections from TerriaJS-Server instances to unauthorized destinations
- Review access logs for patterns of proxy abuse, such as high-volume requests to unfamiliar domains
Monitoring Recommendations
- Enable verbose logging for the proxy controller to capture all domain validation decisions
- Deploy network egress filtering to restrict outbound connections from server instances
- Set up alerts for proxy requests that result in connections to IP addresses or domains outside expected ranges
How to Mitigate CVE-2026-27818
Immediate Actions Required
- Upgrade TerriaJS-Server to version 4.0.3 or later immediately
- Audit proxyableDomains configuration to ensure minimal necessary domain entries
- Review proxy logs for signs of exploitation prior to patching
- Implement network-level egress controls as defense-in-depth
Patch Information
The vulnerability is fixed in TerriaJS-Server version 4.0.3. The patch modifies the domain validation logic in lib/controllers/proxy.js to use exact domain matching or proper subdomain validation with the . prefix check. The security fix is available via the GitHub commit and detailed in the GitHub Security Advisory.
Workarounds
- Restrict network egress at the firewall level to only allow connections to explicitly approved domains
- Place the TerriaJS-Server behind a reverse proxy with additional domain validation
- Temporarily disable the proxy functionality if not critical to operations until patching is complete
# Configuration example
# Update TerriaJS-Server to patched version
npm update terriajs-server@4.0.3
# Verify installed version
npm list terriajs-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
