Full Report
Draw.io is a website for drawing diagrams. The first vulnerability is a simple SSRF bug because of a bad and manual blacklisting technique. The second issue is much cooler though. The website supports OAuth from third party providers like Github. If we can force a redirect during this flow, we can steal the OAuth token, which would be awesome. However, it's not legal to put an absolute URL - only relative URLs. Regardless, the author decided to take a look at this to see if they could bypass this. The verification of this code checks to see if the URL is absolute or not. The library doing this follows the specification perfectly. If it's an invalid URL, then the code assumes it's a relative path! So, what if we found a URL that was invalid but was processed as a absolute path by the browser? The author did some fuzzing and manual testing of this. Chrome is ever nice and does not conform to the RFC! In particular, if there is a space after the protocol, it will just remove the space. However, this is an invalid URL, which triggers our error. An example is https:// @evil.com/, with the space being the important thing here. Since the check is bypassed for an absolute URL, the redirect will be made to an attacker controlled website. This steals the OAuth code, leading to a compromise of the user. Overall, amazing post on the bug. I love the idea of "what if we have an invalid URL by the RFC but valid to Chrome?" Even though the issue was not immediately exploitable, the idea from the bad error handling was there.
Analysis Summary
# Vulnerability: Authentication Bypass and SSRF in draw.io
## CVE Details
- **CVE ID:** CVE-2022-1774 (OAuth Token Theft), CVE-2022-1713 (SSRF)
- **CVSS Score:** 9.1 (Critical) for CVE-2022-1774; 8.1 (High) for CVE-2022-1713
- **CWE:** CWE-601 (Open Redirect), CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:** draw.io (diagrams.net)
- **Versions:** Open-source versions prior to May 2022 updates.
- **Configurations:** Systems utilizing default `ProxyServlet` or OAuth integrations (e.g., GitHub, Google Drive via `*AuthServlet`).
## Vulnerability Description
The application suffered from two distinct architectural flaws:
1. **Improper SSRF Validation (CVE-2022-1713):** The `/proxy` endpoint utilized a manual blocklist to prevent internal network requests. This blocklist was incomplete and failed to account for alternative IP representations (e.g., using `http://0:8080/` to reference localhost), allowing attackers to scan internal infrastructure.
2. **OAuth Token Theft via RFC Non-Compliance (CVE-2022-1774):** The OAuth flow attempted to restrict the `redirect` parameter to relative URLs. It validated this by checking if the URL was "absolute" according to RFC standards. If the `new URL(url)` constructor threw a `MalformedURLException`, the system assumed the URL was a safe relative path and appended it to a redirect header. However, browsers (specifically Chrome) do not strictly follow the RFC. By using an invalid URL format like `https:// @evil.com/` (containing a whitespace), the backend triggered an error and treated it as a relative path, while Chrome interpreted it as a valid absolute destination, leaking the OAuth `access_token` to an attacker-controlled domain.
## Exploitation
- **Status:** PoC available.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full theft of OAuth tokens and access to third-party data like GitHub/Google Drive).
- **Integrity:** High (Ability to modify user diagrams and repository data).
- **Availability:** Low.
## Remediation
### Patches
- Users of the self-hosted draw.io/diagrams.net should update to the latest version available on GitHub (post-May 2022).
- Specific fixes involve replacing manual IP blacklisting with robust allowlisting and improving URL validation logic in `*AuthServlet.java`.
### Workarounds
- Disable the `/proxy` and `/github2` endpoints if they are not required for your specific deployment.
- Implement a Web Application Firewall (WAF) to block request parameters containing whitespace or `@` symbols in redirect contexts.
## Detection
- **Indicators of Compromise:** Review web logs for 302 redirects where the `Location` header contains unexpected outbound domains or malformed characters (e.g., `%20%40`).
- **Detection methods:** Monitor for any requests to the `/proxy` endpoint targeting reserved IP ranges or short-hand IP notation (e.g., `0`, `127.1`).
## References
- hxxps://huntr[.]dev/bounties/6ac07c49-bb7f-47b5-b361-33e6757b8757/
- hxxps://huntr[.]dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11/
- hxxps://github[.]com/jgraph/drawio/