terriajs-server@1.1.2 vulnerabilities

NodeJS server for TerriaJS, consisting of a CORS proxy, proj4 CRS lookup service, and express static server.

Direct Vulnerabilities

Known vulnerabilities in the terriajs-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Server-Side Request Forgery (SSRF)

terriajs-server is a basic NodeJS Express server that serves up a (not included) static TerriaJS-based site (such as National Map) with a few additional useful services.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server whitelisted by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain whitelisted by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade terriajs-server to version 2.7.4 or higher.

<2.7.4
  • M
Server-Side Request Forgery (SSRF)

terriajs-server is a basic NodeJS Express server that serves up a (not included) static TerriaJS-based site (such as National Map) with a few additional useful services.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). Once an attacker has access to a server whitelisted by the terriajs-server proxy, or the attacker is able to modify the DNS records of a domain whitelisted by the terriajs-server proxy, the terriajs-server proxy can be used to access any HTTP resources accessible to the server, including private data in the hosting environment.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade terriajs-server to version 2.7.4 or higher.

<2.7.4