Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
TerriaJS-Server: Malicious Domains Can Be Proxied
CVE-2026-27818
GHSA-w789-49fc-v8hr
Summary
TerriaJS-Server allows unapproved domains to be proxied if they end with an approved domain. This means a malicious attacker could use a domain like maliciousexample.com to bypass security restrictions. To fix this, update to the latest version, 4.0.3, as soon as possible.
What to do
- Update terria terriajs-server to version 4.0.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| terria | terriajs-server | <= 4.0.3 | 4.0.3 |
| terria | terriajs-server | <= 4.0.3 | – |
Original title
TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist
Original description
### Impact
A validation bug allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration.
The validation only checks if a hostname _ended_ with an allowed domain. This meant:
If `example.com` is allowed in `proxyableDomains`:
- ✅ example.com is allowed (correct)
- ✅ api.example.com is allowed (correct)
- ⚠️ maliciousexample.com is allowed (incorrect)
An attacker could register maliciousexample.com and proxy content through `terriajs-server`, bypassing proxy restrictions.
### Patches
All versions up to 4.0.2 are affected. Upgrade to 4.0.3 to address the vulnerability.
A validation bug allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration.
The validation only checks if a hostname _ended_ with an allowed domain. This meant:
If `example.com` is allowed in `proxyableDomains`:
- ✅ example.com is allowed (correct)
- ✅ api.example.com is allowed (correct)
- ⚠️ maliciousexample.com is allowed (incorrect)
An attacker could register maliciousexample.com and proxy content through `terriajs-server`, bypassing proxy restrictions.
### Patches
All versions up to 4.0.2 are affected. Upgrade to 4.0.3 to address the vulnerability.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-20
Improper Input Validation
CWE-918
Server-Side Request Forgery (SSRF)
- https://nvd.nist.gov/vuln/detail/CVE-2026-27818
- https://github.com/TerriaJS/terriajs-server/releases/tag/4.0.3
- https://github.com/advisories/GHSA-w789-49fc-v8hr
- https://github.com/TerriaJS/terriajs-server/commit/3aaa5d9717162b245ae4569232bbe... Patch
- https://github.com/TerriaJS/terriajs-server/security/advisories/GHSA-w789-49fc-v... Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026