Home

Description

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers to access private network addresses, GCP metadata services, or local filesystem paths.

PUBLISHED Reserved 2026-07-06 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

CRITICAL: 9.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Problem types

Server-Side Request Forgery (SSRF)

Product status

Default status
affected

Any version before 1.14.1
affected

Any version
affected

Credits

George Chen reporter

References

github.com/yamadashy/repomix/issues/1703 exploit

github.com/yamadashy/repomix/issues/1703 (GitHub Iusse) issue-tracking

github.com/yamadashy/repomix (Product) product

github.com/...ommit/c748b524f41225e7fc6f89ad0084520901a453cf (Patch Commit) patch

www.vulncheck.com/...idated-repository-urls-in-post-api-pack third-party-advisory

cve.org (CVE-2026-59702)

nvd.nist.gov (CVE-2026-59702)

Download JSON