What happened
ToolJet's RestAPI data source executes HTTP requests server-side with a private IP filter that only checks initial DNS resolution. Attackers can bypass this using DNS rebinding or alternate IP representations to cause the ToolJet server to forward requests to internal services. This is a CVSS 8.3 SSRF affecting all ToolJet deployments that use the RestAPI data source connector.
Why it matters
ToolJet is specifically designed to connect AI agents to internal data sources, databases, and APIs. SSRF in this context means an attacker can reach all internal endpoints that ToolJet's server can access — including vector databases, AI model serving APIs, internal admin panels, and cloud metadata services — turning a tool connectivity feature into an internal network pivot.
Attack vector
The RestAPI data source component executes HTTP requests server-side and applies a private IP filter only on initial resolution. An attacker can bypass the filter using DNS rebinding, IPv6-mapped IPv4 addresses, or other SSRF bypass techniques to make the ToolJet server issue requests to internal network addresses, accessing internal services, cloud metadata endpoints, and AI backend infrastructure.
Affected systems
ToolJet < 3.20.178-lts
Mitigation
Upgrade to ToolJet 3.20.178-lts. Advisory: https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4w