216.73.216.233

CVE-2026-33975

· Published 05/05/2026 20:16 · Modified 05/05/2026 20:24

Labels: CVE-2026-33975 2026-05-05CVE-2026-33975CWE-918[email protected]

Essential information

Published
05/05/2026 20:16
Modified
05/05/2026 20:24
Author
Creator
CVSS
8.3 HIGH (v3) 8.3 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.

NVD status

Status
Deferred — When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
twenty / twenty cpe:2.3:a:twenty:twenty:*:*:*:*:*:*:*:*
twenty / twenty cpe:2.3:a:twenty:twenty:<1.18.0:*:*:*:*:*:*

References