CVE-2026-33975 Overview
CVE-2026-33975 is a Server-Side Request Forgery (SSRF) vulnerability in Twenty, an open source customer relationship management (CRM) platform built on NestJS and Node.js. The flaw affects versions 1.18.0 and earlier of twenty-server. The SecureHttpClientService SSRF protection can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Authenticated users can pivot internal HTTP requests to private network ranges, including cloud metadata services. The issue is classified under CWE-918.
Critical Impact
Authenticated attackers can reach internal IPs and cloud metadata endpoints (e.g., 169.254.169.254) to exfiltrate IAM credentials and other sensitive infrastructure secrets.
Affected Products
- Twenty CRM twenty-server versions 1.18.0 and earlier
- Deployments using the SecureHttpClientService for outbound HTTP requests
- Self-hosted Twenty instances exposed to authenticated users
Discovery Timeline
- 2026-05-05 - CVE-2026-33975 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-33975
Vulnerability Analysis
Twenty's SecureHttpClientService enforces SSRF protection by validating destination addresses against an isPrivateIp utility. The check is intended to block requests to RFC1918 ranges, loopback addresses, and link-local IPs. The validation operates only on dotted-decimal IPv4 notation. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses into compressed hexadecimal form before the validator inspects them. For example, ::ffff:169.254.169.254 is rewritten to ::ffff:a9fe:a9fe, which bypasses the dotted-decimal pattern match.
A second defense layer relies on a socket lookup event to validate resolved IPs at connect time. This event does not fire when the URL contains an IP literal. Both validation layers fail simultaneously when an attacker supplies an IPv4-mapped IPv6 literal. The result is unrestricted outbound HTTP access to internal infrastructure from the application server.
Root Cause
The root cause is incomplete address-format coverage in the isPrivateIp allowlist logic. The validator does not canonicalize IPv6 representations before comparison. Node.js silently rewrites IPv4-mapped IPv6 forms, producing addresses the validator never anticipated. The socket-level fallback also assumes DNS resolution will occur, which is not true for IP literals.
Attack Vector
An authenticated user submits a URL containing an IPv4-mapped IPv6 literal to any Twenty feature that performs server-side fetches. Example payloads include http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/ to reach AWS Instance Metadata Service (IMDSv1). The server issues the request with its own network identity and returns the response body to the attacker. This exposes IAM keys, internal admin endpoints, Kubernetes API servers, and database management interfaces.
No verified public exploit code is available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-33975
Indicators of Compromise
- Outbound HTTP requests from Twenty application servers to 169.254.169.254, fd00::/8, or other internal ranges
- Application logs containing user-supplied URLs with [::ffff: or other IPv6 literal brackets
- Unexpected access patterns to cloud metadata endpoints originating from CRM workloads
- Anomalous IAM credential usage from instance roles bound to Twenty hosts
Detection Strategies
- Inspect Twenty audit logs and reverse-proxy access logs for URL parameters containing IPv6 bracketed literals
- Correlate egress NetFlow or VPC flow logs from CRM hosts against allowlisted destinations
- Alert on metadata service queries (169.254.169.254, fd00:ec2::254) sourced from application tiers that should not require them
Monitoring Recommendations
- Enable cloud audit logging for IAM credential issuance and STS AssumeRole calls tied to instance profiles
- Forward Node.js application logs to a centralized SIEM and parse outbound request URLs
- Monitor for sudden increases in outbound HTTP error rates from the CRM tier, indicating probing
How to Mitigate CVE-2026-33975
Immediate Actions Required
- Upgrade twenty-server to a version later than 1.18.0 that includes the SSRF fix
- Enforce IMDSv2 with hop-limit 1 on AWS to neutralize SSRF reads of instance credentials
- Restrict egress from Twenty workloads using network policies or security groups that block link-local and private ranges
- Rotate any IAM credentials, API tokens, or secrets that may have been exposed via the metadata service
Patch Information
Apply the upstream fix referenced in the Twenty GitHub Security Advisory GHSA-vrcj-hv2q-c58m. The remediation extends isPrivateIp to canonicalize IPv6 representations, including IPv4-mapped forms, and adds explicit blocking for IP literal hosts.
Workarounds
- Place an egress proxy in front of Twenty that denies requests to RFC1918, link-local, and IPv6 unique-local addresses
- Disable or restrict any Twenty features that accept user-supplied URLs until the patch is applied
- Run Twenty workloads with instance profiles that hold no privileged IAM permissions
# Example AWS CLI: enforce IMDSv2 to mitigate metadata SSRF
aws ec2 modify-instance-metadata-options \
--instance-id i-0123456789abcdef0 \
--http-tokens required \
--http-put-response-hop-limit 1 \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
