fix(security): Move CVE-2025-15467 detection before SSRF check

Content-Type based CVE detection must happen before SSRF patterns to avoid false positives when routing through localhost. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 10:44:23 +01:00 · 2026-02-02 10:44:23 +01:00 · 2ce7c5da3a
commit 2ce7c5da3a
parent 77e572a787
1 changed files with 12 additions and 13 deletions
--- a/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py
+++ b/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py
@ -490,6 +490,18 @@ class SecuBoxAnalytics:
        full_url = request.pretty_url.lower()
        query = request.query
        body = request.content.decode('utf-8', errors='ignore').lower() if request.content else ''
+        content_type = request.headers.get('content-type', '').lower()
+
+        # === CVE-2025-15467 CHECK FIRST (Content-Type based) ===
+        # OpenSSL CMS AuthEnvelopedData stack overflow - must check before SSRF
+        if any(ct in content_type for ct in CMS_CONTENT_TYPES):
+            body_len = len(body) if body else 0
+            severity = 'critical' if body_len > 1024 else 'high'
+            return {
+                'is_scan': True, 'pattern': 'CVE-2025-15467', 'type': 'cve_exploit',
+                'severity': severity, 'category': 'cms_attack',
+                'cve': 'CVE-2025-15467'
+            }

        # Build combined search string
        search_targets = [path, full_url, body]
@ -551,7 +563,6 @@ class SecuBoxAnalytics:
                }

        # Check XXE (in body/headers for XML)
-        content_type = request.headers.get('content-type', '').lower()
        if 'xml' in content_type or body.startswith('<?xml'):
            for pattern in XXE_PATTERNS:
                if re.search(pattern, body, re.IGNORECASE):
@ -560,18 +571,6 @@ class SecuBoxAnalytics:
                        'severity': 'critical', 'category': 'xml_attack'
                    }

-        # Check CVE-2025-15467 (OpenSSL CMS AuthEnvelopedData stack overflow)
-        # Detect potential exploitation attempts via S/MIME/CMS content
-        if any(ct in content_type for ct in CMS_CONTENT_TYPES):
-            # Flag all CMS/S/MIME content as potential CVE-2025-15467 target
-            # Especially suspicious if body is large (oversized IV attack)
-            severity = 'critical' if len(body) > 1024 else 'high'
-            return {
-                'is_scan': True, 'pattern': 'CVE-2025-15467', 'type': 'cve_exploit',
-                'severity': severity, 'category': 'cms_attack',
-                'cve': 'CVE-2025-15467'
-            }
-
        # Check LDAP Injection
        for pattern in LDAP_INJECTION_PATTERNS:
            if re.search(pattern, combined, re.IGNORECASE):