ThinkDashboard SSRF Vulnerability

MEDIUM (5.3) Patch Available Patch
cwe-918aenrichauthentication-bypassgohr-softwaressrftoken-forgery

Threat Intelligence

Low Risk
EPSS Score: 0.04% chance of exploitation (percentile: 12%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. It allows users to manage bookmarks and access them remotely. However, this vulnerability in the /api/ping?url= endpoint enables attackers to make arbitrary requests to internal or external hosts, potentially leading to discovering open ports on the local machine, hosts on the local network, and ports open on hosts on the internal network.

Am I affected?

You're affected if you use ThinkDashboard versions 0.6.7 and below. To check if your instance is vulnerable, run find / -name "ThinkDashboard*.exe" (for Windows) or find / -name "ThinkDashboard" (for Linux/Mac) to locate the executable, then verify its version using file ThinkDashboard.exe (Windows) or file ThinkDashboard (Linux/Mac).

Note: This vulnerability is specific to ThinkDashboard 0.6.7 and below; later versions are not affected.

Affected Packages

go: github.com/MatiasDesuu/ThinkDashboard

How to fix

  1. Upgrade to ThinkDashboard version 0.6.8 or higher from the official GitHub repository: https://github.com/MatiasDesuu/ThinkDashboard/releases/tag/0.6.8.
  2. Immediate mitigations:
  3. Restrict network access to your ThinkDashboard instance (firewall it from the public internet).
  4. Audit admin account activity for suspicious access patterns.
  5. Monitor for unauthorized token creation.

References