Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API call) against http://0.0.0.0:2019/, fully replacing the live Caddy configuration and taking over the reverse proxy. This vulnerability is fixed in 2.1.
The Caddy administrative API (by default without authentication) listens on address 0.0.0.0:2019 inside the Docker container. Although this port is not directly published to the host by docker-compose.yml, it is accessible from the Appsmith server process. An attacker with low privileges can use the SSRF vulnerability to send a POST request to the /load endpoint (or any other admin API call) to address http://0.0.0.0:2019/, allowing complete replacement of the active Caddy configuration.
An attacker can completely replace the configuration of the running Caddy reverse proxy, leading to takeover of control over application network traffic, potential data disclosure (C:H), modification or destruction of resources (I:H), and disruption of service availability (A:H) — with effects extending beyond container boundaries (Scope: Changed).
Appsmith should be updated to version 2.1 or later, where the vulnerability has been fixed. Until the update, it is recommended to restrict network access to port 2019 inside the container and verify the docker-compose configuration for network isolation.
Appsmith in versions prior to 2.1, running in a containerized environment (Docker).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HAppsmith
APPAppsmith< 2.1
Related vulnerabilities
Stored XSS w Appsmith Table Widget prowadzący do przejęcia konta admina
Appsmith: nieuwierzytelniony dostęp do akcji trybu edycji (brak autoryzacji)
Appsmith: przejęcie konta przez manipulację nagłówkiem Origin w linkach e-mail
Appsmith: RCE przez błędnie skonfigurowany PostgreSQL w kontenerze Docker
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled...