In Meilisearch v1.34.1, we released a security fix that affect web queries initiated by Meilisearch.

🔐 Security

Cloud users: no action is needed. We found no evidence of exploitation on Meilisearch Cloud and the Cloud is protected at the infrastructure level.
Open-source users: if you allow untrusted users to configure webhooks, embedders or network of machines, we recommend you update to Meilisearch v1.34.1

In Meilisearch versions v1.8 to v1.34.0, a user with an API key with write permissions to the configuration of the Meilisearch instance could set up Meilisearch to send POST or GET requests to domains and IPs local to the private network of the Meilisearch instance, effectively bypassing the firewall. The vulnerability has not yet been assigned a CVE number; it has CVE Request 1975471 for CVE ID.

Meilisearch v1.34.1 fixes the vulnerability by forbidding Meilisearch from making any requests to a host resolving to a non-global IP, in the sense of the IANA IPv4 Special-Purpose Address Registry or the IANA IPv6 Special-Purpose Address Registry. If you need this functionality in your Meilisearch instance, you can set private IP networks as allowed with the --experimental-allowed-ip-networks parameter after reviewing the security implications.

This is a breaking change, which is allowed for security reasons.

Allowing non-global IP networks

The --experimental-allowed-ip-networks CLI flag and the MEILI_EXPERIMENTAL_ALLOWED_IP_NETWORKS environment variable control the behavior of Meilisearch with regards to non-global IP networks, with the CLI flag taking precedence over the environment variable when both are specified.

When missing, the default is to reject all web requests resolving to a non-global IP.
When set to a comma-separated list of CIDR-formatted networks (e.g. 192.168.0.0/16,10.0.0.0), then web requests to the networks from the list will be permitted. Web requests to the non-global IPs not part of the list will still be rejected.
When set to any, all web requests will be permitted regardless of the target IP, similar to the behavior of Meilisearch v1.34.0 and lower. Use this option when you control both the machine and the configuration of the deployed Meilisearch instance.

Acknowledgments

Thanks to Gabriel Rodrigues (aka Texugo), for reporting this vulnerability and for helping us improve the security of Meilisearch.

🔐 Security

Cloud users: no action is needed. We found no evidence of exploitation on Meilisearch Cloud and the Cloud is protected at the infrastructure level.

Open-source users: if you allow untrusted users to configure webhooks, embedders or network of machines, we recommend you update to Meilisearch v1.34.1

This is a breaking change, which is allowed for security reasons.

Allowing non-global IP networks

When missing, the default is to reject all web requests resolving to a non-global IP.

When set to a comma-separated list of CIDR-formatted networks (e.g. 192.168.0.0/16,10.0.0.0), then web requests to the networks from the list will be permitted. Web requests to the non-global IPs not part of the list will still be rejected.

When set to any, all web requests will be permitted regardless of the target IP, similar to the behavior of Meilisearch v1.34.0 and lower. Use this option when you control both the machine and the configuration of the deployed Meilisearch instance.

meilisearch

v1.34.1

🔐 Security

Allowing non-global IP networks

Acknowledgments

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

JPProject.IdentityServer4.SSO

v1.34.1

🔐 Security

Allowing non-global IP networks

Acknowledgments

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

JPProject.IdentityServer4.SSO