CVE-2026-59702
Repomix · Repomix
Repomix contains a server-side request forgery (SSRF) vulnerability in the POST /api/pack endpoint, allowing unauthenticated attackers to make arbitrary outbound requests.
Executive summary
A critical SSRF vulnerability in Repomix allows unauthenticated attackers to perform unauthorized requests, potentially exposing private network resources and cloud metadata.
Vulnerability
This is a Server-Side Request Forgery (SSRF) vulnerability occurring in the POST /api/pack endpoint. The application fails to sanitize input URLs, allowing unauthenticated attackers to force the server to initiate requests to internal network addresses, cloud metadata services, or local filesystem paths.
Business impact
The ability to perform SSRF poses a significant risk to internal infrastructure. Attackers can leverage this flaw to bypass perimeter firewalls, exfiltrate sensitive cloud metadata (such as IAM credentials), or scan internal network segments. With a CVSS score of 9.3, this vulnerability represents a critical threat that could lead to full compromise of the hosting environment.
Remediation
Immediate Action: Upgrade to version 1.14.1 or later immediately to incorporate necessary URL validation logic.
Proactive Monitoring: Inspect server access logs for anomalous requests to the /api/pack endpoint, specifically looking for attempts to access internal IPs (e.g., 169.254.169.254) or local file paths.
Compensating Controls: Implement strict egress filtering on the server hosting Repomix to prevent unauthorized outbound requests to sensitive internal and cloud management endpoints.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability is highly severe due to its unauthenticated nature and potential for internal network reconnaissance. Administrators must prioritize updating the software to the patched version 1.14.1 to eliminate the SSRF vector. If an immediate update is not feasible, egress traffic from the application server should be restricted to known-good destinations only.