CVE-2022-1711
published 2022-05-17CVE-2022-1711: Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5.
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
5.37%
91.6th percentile
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| diagrams | drawio | < 18.0.5 | 18.0.5 |
| jgraph | jgraph_drawio | >= unspecified < 18.0.5 | 18.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
url/proxy?url=http://{{interactsh-url}}
path/proxy
- →SSRF probe: HTTP GET request to the /proxy endpoint with a url= parameter pointing to an out-of-band callback host. A successful exploit returns HTTP 200 with Content-Type: application/octet-stream and triggers a DNS interaction.
- →Shodan/FOFA fingerprint for exposed draw.io instances: search for html:"draw.io" (Shodan) or body="draw.io" (FOFA) to identify attack surface.
- →The vulnerable component is the ProxyServlet; look for GET requests to /proxy?url= in web server access logs, especially where the url parameter resolves to internal RFC-1918 or link-local addresses.
- →The fix introduces isLinkLocalAddress() checks; absence of this check in versions prior to 18.0.5 confirms exploitability. Reference the patch commit for diff-based detection. ↗
- ·Vulnerability is only present in draw.io (diagrams.net) versions strictly prior to 18.0.5; version 18.0.5 and later are patched. ↗
- ·The attack requires no authentication (PR:N, UI:N), meaning any network-reachable instance is exposed without credentials.
- ·Out-of-band DNS interaction (interactsh) is required to confirm exploitation; a 200 response alone is insufficient — Content-Type must also be application/octet-stream and a DNS callback must be observed.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
draw.io < 18.0.5 - Server Side Request Forgery (SSRF)
nuclei·CVSS 7.5
CVE-2022-1711 [HIGH] draw.io < 18.0.5 - Server Side Request Forgery (SSRF)
draw.io < 18.0.5 - Server Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) vulnerability in draw.io (also known as diagrams.net) prior to version 18.0.5 allows attackers to bypass URL validation restrictions in the ProxyServlet component. The vulnerability exists because the application does not properly validate URLs passed to its proxy endpoint, allowing attackers to make requests to internal services or external servers. This can lead to unauthorized access to internal resources and potential data exfiltration.
Template:
id: CVE-2022-1711
info:
name: draw.io < 18.0.5 - Server Side Request Forgery (SSRF)
author: ritikchaddha
severity: high
description: |
Server-Side Request Forgery (SSRF) vulnerability in draw.io (also known as diagrams.net) prior to version 18.0.5 allo
No writeups or analysis indexed.
2022-05-17
Published