CVE-2026-62143: CWE-918 Server-Side Request Forgery (SSRF) in misp misp-modules
A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges without first normalising IPv4-mapped IPv6 addresses. An authenticated attacker able to invoke the module could supply an IPv4-mapped IPv6 address, such as: http://[::ffff:127.0.0.1]/ http://[::ffff:169.254.169.254]/ Alternatively, the attacker could use a hostname that resolves to an IPv4-mapped IPv6 address. These addresses were treated as IPv6 addresses and therefore did not match the corresponding blocked IPv4 ranges. Successful exploitation could cause the misp-modules server to connect to services available through its loopback interface, internal network, or link-local network. This could expose internal web services, administrative interfaces, or cloud instance metadata, with retrieved content potentially returned to the attacker as converted Markdown. The vulnerability has been addressed by normalising IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying the blocked-range checks. URLs without a valid hostname are now also rejected.
AI Analysis
Technical Summary
The SSRF protection bypass in misp-modules' html_to_markdown expansion module occurs because IP addresses are checked against restricted ranges without normalizing IPv4-mapped IPv6 addresses. Attackers with authentication can supply IPv4-mapped IPv6 addresses or hostnames resolving to such addresses, which are treated as IPv6 and thus bypass the blocked IPv4 range checks. This allows the server to connect to internal network services, potentially exposing sensitive internal web services, administrative interfaces, or cloud metadata endpoints. The fix involves normalizing IPv4-mapped IPv6 addresses to their IPv4 equivalents before applying IP range checks and rejecting URLs lacking valid hostnames.
Potential Impact
An authenticated attacker can exploit this vulnerability to cause the misp-modules server to connect to internal or restricted network services, including loopback and cloud instance metadata endpoints. This may lead to exposure of sensitive internal resources or data, with the retrieved content possibly returned to the attacker as converted Markdown. The vulnerability has a high severity with a CVSS 4.0 score of 8.3, indicating significant risk if exploited.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is addressed by normalizing IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying blocked-range checks and rejecting URLs without valid hostnames. Until an official fix is confirmed, restrict access to the html_to_markdown module to trusted authenticated users and monitor for suspicious usage patterns.
CVE-2026-62143: CWE-918 Server-Side Request Forgery (SSRF) in misp misp-modules
Description
A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges without first normalising IPv4-mapped IPv6 addresses. An authenticated attacker able to invoke the module could supply an IPv4-mapped IPv6 address, such as: http://[::ffff:127.0.0.1]/ http://[::ffff:169.254.169.254]/ Alternatively, the attacker could use a hostname that resolves to an IPv4-mapped IPv6 address. These addresses were treated as IPv6 addresses and therefore did not match the corresponding blocked IPv4 ranges. Successful exploitation could cause the misp-modules server to connect to services available through its loopback interface, internal network, or link-local network. This could expose internal web services, administrative interfaces, or cloud instance metadata, with retrieved content potentially returned to the attacker as converted Markdown. The vulnerability has been addressed by normalising IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying the blocked-range checks. URLs without a valid hostname are now also rejected.
CVSS v4.0
Score 8.3high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The SSRF protection bypass in misp-modules' html_to_markdown expansion module occurs because IP addresses are checked against restricted ranges without normalizing IPv4-mapped IPv6 addresses. Attackers with authentication can supply IPv4-mapped IPv6 addresses or hostnames resolving to such addresses, which are treated as IPv6 and thus bypass the blocked IPv4 range checks. This allows the server to connect to internal network services, potentially exposing sensitive internal web services, administrative interfaces, or cloud metadata endpoints. The fix involves normalizing IPv4-mapped IPv6 addresses to their IPv4 equivalents before applying IP range checks and rejecting URLs lacking valid hostnames.
Potential Impact
An authenticated attacker can exploit this vulnerability to cause the misp-modules server to connect to internal or restricted network services, including loopback and cloud instance metadata endpoints. This may lead to exposure of sensitive internal resources or data, with the retrieved content possibly returned to the attacker as converted Markdown. The vulnerability has a high severity with a CVSS 4.0 score of 8.3, indicating significant risk if exploited.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is addressed by normalizing IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying blocked-range checks and rejecting URLs without valid hostnames. Until an official fix is confirmed, restrict access to the html_to_markdown module to trusted authenticated users and monitor for suspicious usage patterns.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CIRCL
- Date Reserved
- 2026-07-13T07:52:02.284Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a54a64468715ace43837a22
Added to database: 07/13/2026, 08:48:04 UTC
Last enriched: 07/13/2026, 09:02:28 UTC
Last updated: 07/13/2026, 22:04:30 UTC
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.