Advisories for Npm/Terriajs-Server package

A validation bug allows an attacker to proxy domains not explicitly allowed in the proxyableDomains configuration. The validation only checks if a hostname ended with an allowed domain. This meant: If example.com is allowed in proxyableDomains: ✅ example.com is allowed (correct) ✅ api.example.com is allowed (correct) ⚠️ maliciousexample.com is allowed (incorrect) An attacker could register maliciousexample.com and proxy content through terriajs-server, bypassing proxy restrictions.

Versions of terriajs-server are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server allow listed by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain allow listed by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment. Upgrade …