libtaxii is vulnerable to server-side request forgery (SSRF)


14 Oct 2020



CVSSv3 score


(Snyk score)


images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.9.0


libtaxii versions 1.1.117 and earlier are vulnerable to SSRF.
It is possible to exploit the vulnerability by passing a http:// string as an argument of the parse method.

The libtaxii parse method wraps the lxml library; it uses the library etree module to parse data and to store hierarchical structures in the memory.
libtaxii is a dependency of EclecticIQ OpenTAXII, which is therefore also affected by the same vulnerability in versions 0.2.0 and earlier.

  1. An attacker could exploit the vulnerability by sending a maliciously crafted TAXII request to a TAXII server.

  2. The TAXII server would accept the request, and it would not verify that the expected destination matches the actual one.

  3. The TAXII server could then be deceived into connecting to arbitrary IP addresses or domains that the attacker controls.

The vulnerability can be exploited on any platform instance relying on a running TAXII server.
To exploit the vulnerability, an attacker would not need to log in to the platform.

The following example uses cURL to demonstrate the exploit:

curl -i -s -k -X $'POST' \
-H $'Host:' \
-H $'Connection: close' \
-H $'Accept-Encoding: gzip, deflate' \
-H $'Accept: application/xml' \
-H $'User-Agent: Cabby 0.1.20' \
-H $'X-TAXII-Accept: urn:taxii.mitre.org:message:xml:1.1' \
-H $'X-TAXII-Services: urn:taxii.mitre.org:services:1.1' \
-H $'X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1' \
-H $'X-TAXII-Protocol: urn:taxii.mitre.org:protocol:https:1.0' \
-H $'Content-Type: application/xml' \
-H $'Content-Length: 19' \
--data-binary $'' \
--url $''
  • is the IP address of the server hosting a platform instance.

  • is the IP address of the platform instance.

  • /taxii/discovery is the endpoint exposing the TAXII discovery service.

  • is the arbitrary address the platform TAXII server is deceived into connecting to.

See also:


The vulnerability has been addressed and solved in libtaxii version 1.1.118.

From release 2.9.0, the platform and its OpenTAXII server component depend on libtaxii 1.1.118.
To address the vulnerability, we encourage upgrading the platform to release 2.9.0.

For platform releases 2.8.0 and earlier, it is possible to upgrade to libtaxii 1.1.118 within the platform virtual environment.
This dependency upgrade works and is compatible with EclecticIQ Platform releases 2.8.0 and earlier, and with OpenTAXII releases 0.2.0 and earlier.

To mitigate the issue in platform instances release 2.8.0 and earlier:

  • Restrict platform access to only trusted users.

  • Do not allow platform access to untrusted sources.

  • Do not allow external requests to localhost through the network loopback interface.

Affected versions

2.8.0 and earlier.


For more information, see:

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions

In release notes 2.9.0