CVE-2026-27818: TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist
A validation bug allows an attacker to proxy domains not explicitly allowed in the proxyableDomains configuration.
The validation only checks if a hostname ended with an allowed domain. This meant:
If example.com is allowed in proxyableDomains:
- ✅ example.com is allowed (correct)
- ✅ api.example.com is allowed (correct)
- ⚠️ maliciousexample.com is allowed (incorrect)
An attacker could register maliciousexample.com and proxy content through terriajs-server, bypassing proxy restrictions.
References
- github.com/TerriaJS/terriajs-server
- github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe7d8673c913f
- github.com/TerriaJS/terriajs-server/releases/tag/4.0.3
- github.com/TerriaJS/terriajs-server/security/advisories/GHSA-w789-49fc-v8hr
- github.com/advisories/GHSA-w789-49fc-v8hr
- nvd.nist.gov/vuln/detail/CVE-2026-27818
Code Behaviors & Features
Detect and mitigate CVE-2026-27818 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →