SSRF in /service endpoint in jgraph/drawio


Reported on

May 20th 2022


The problem came from this line of code

I ran docker-drawio with following command :

docker run -it --rm --name="draw" -e EXPORT_URL= -p 8080:8080 -p 8443:8443 jgraph/drawio

if the drawio EXPORT_URL is set to an address without any / after the primary Hostname like not like or, then an attacker can send a request to with a payload like http://draio-instance/service/0/@

Proof of Concept

  1. run docker run -it --rm --name="draw" -e EXPORT_URL= -p 8080:8080 -p 8443:8443 jgraph/drawio and then docker ps and get the drawio hash name ( called HN)
  2. run docker exec -it HN /bin/bash
  3. run apt update && apt install netcat && netcat -l 4430
  4. go to http://draio-instance:8080/service/0/@ you can see the http log on netcat had been recorded

it is a Full SSRF If you need another POC I can give you an HTTP logger script that returns some things to the attacker


Also, I don't know what exactly is JSESSIONID cookie? but I can receive its content in a My public IP after redirect too!


The impact is achieved to all internal http webservers' contents if they host a file with a short and enumerable name! Or get cloud metadata, port scanning, and some special cases achieve RCE too!

However, it is an Open-redirect too.

about the CVSS: Attack Complexity is high because this vulnerability depends on some special configuration for EXPORT_URL. Availability is none Confidentiality and Availability can be high as it is a full SSRF.

I think 7.4 is a good score if you don't please tell me to change it, please.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 2 years ago
Am modified the report
2 years ago
2 years ago


Hey David, can you ping somethings to me about this report?

We have contacted a member of the jgraph/drawio team and are waiting to hear back 2 years ago
David Benson
2 years ago


Hey. We're thinking about this one (please also consider it's the weekend and we're not working). I'd say the integrity affect is low, following the guidance on, since it's dependent on a number of server setup factor, the integrity effect is certainly not high in every case, and would be none for certain setups.

Am modified the report
2 years ago
Am modified the report
2 years ago
2 years ago


I made a mistake. The attack complexity is not high because, as you say, because of the server setup factor, the integrity should be none, and also attack complexity about how we can exploit the founded vulnerability. Here the exploit is simple. even not need any server for DNS rebinds or redirection URLs. So do you agree with 5.3?

David Benson validated this vulnerability 2 years ago

Yes, I think medium overall is right for this issue. We'll investigate it today.

am0o0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
2 years ago


I'm glad to see we're on the same page!

David Benson marked this as fixed in 18.1.2 with commit c287be 2 years ago
The fix bounty has been dropped
to join this conversation