Security Disclosure: SSRF via MetaIssuer Regex Bypass
Summary
Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services.
Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.
Impact
- SSRF to cloud metadata (169.254.169.254)
- SSRF to internal Kubernetes APIs
- SSRF to any service accessible from Fulcio's network
- Affects ALL deployments using MetaIssuers
Patches
Upgrade to v1.8.5.
Workarounds
None. If anchors are included in the meta issuer configuration URL, they will be escaped before the regular expression is compiled, not making this a sufficient mitigation. Deployments must upgrade to the latest Fulcio release v1.8.5.
Affected Code
File: pkg/config/config.go
Function: metaRegex() (lines 143-156)
func metaRegex(issuer string) (*regexp.Regexp, error) {
quoted := regexp.QuoteMeta(issuer)
replaced := strings.ReplaceAll(quoted, regexp.QuoteMeta("*"), "[-_a-zA-Z0-9]+")
return regexp.Compile(replaced) // Missing ^ and $ anchors
}The Bug
The regex has no ^ (start) or $ (end) anchors. Go's regexp.MatchString() does substring matching, so:
Pattern: https://oidc.eks.*.amazonaws.com/id/*
Regex: https://oidc\.eks\.[-_a-zA-Z0-9]+\.amazonaws\.com/id/[-_a-zA-Z0-9]+
Input: https://attacker.com/x/https://oidc.eks.foo.amazonaws.com/id/bar
Result: MATCHES (substring found)
Exploit
- Attacker sends JWT with
iss claim: https://attacker.com/path/https://oidc.eks.x.amazonaws.com/id/y
- Fulcio's
GetIssuer() matches this against MetaIssuer patterns
- Unanchored regex matches the embedded pattern as substring
- Fulcio calls
oidc.NewProvider() with attacker's URL
- HTTP request goes to
attacker.com, not amazonaws.com
- Attacker returns OIDC discovery with
jwks_uri pointing to internal service
- Fulcio fetches from internal service → SSRF
References
morwn Reporter
Security Disclosure: SSRF via MetaIssuer Regex Bypass
Summary
Fulcio's
metaRegex()function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services.Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.
Impact
Patches
Upgrade to v1.8.5.
Workarounds
None. If anchors are included in the meta issuer configuration URL, they will be escaped before the regular expression is compiled, not making this a sufficient mitigation. Deployments must upgrade to the latest Fulcio release v1.8.5.
Affected Code
File:
pkg/config/config.goFunction:
metaRegex()(lines 143-156)The Bug
The regex has no
^(start) or$(end) anchors. Go'sregexp.MatchString()does substring matching, so:Exploit
issclaim:https://attacker.com/path/https://oidc.eks.x.amazonaws.com/id/yGetIssuer()matches this against MetaIssuer patternsoidc.NewProvider()with attacker's URLattacker.com, notamazonaws.comjwks_uripointing to internal serviceReferences