Twenty CRM Server-Side Request Forgery Protection Bypass Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Twenty CRM versions prior to 1.18. The issue arises in the SecureHttpClientService, where SSRF protection only validated request URLs at the request level, neglecting redirect targets. This oversight allowed authenticated users who could manipulate outbound request URLs to bypass private IP blocking by redirecting through an attacker-controlled server. Exploitation could lead to unauthorized access to internal network services, including cloud metadata endpoints.

Impact

Exploitation of this vulnerability could allow an authenticated attacker to read responses from internal network services, potentially including sensitive cloud metadata.

Remediation

The vulnerability has been fixed in version 1.18 by moving IP validation from the request level to the connection level, ensuring that all TCP connections, including redirects, are properly validated.