| عنوان | BigSweetPotatoStudio HyperChat 2.0.0-alpha.63 Server-Side Request Forgery |
|---|
| الوصف | A server-side request forgery (SSRF) vulnerability (CWE-918) has been identified in the AI proxy middleware of HyperChat, specifically within packages/core/src/http/aiProxyMiddleware.mts. The HTTP middleware accepts an attacker-controlled baseurl request header, appends the remaining request path, and forwards the request using fetch() without validation or allowlisting. An attacker with network access to the HyperChat HTTP service can coerce the server into making arbitrary outbound HTTP requests to attacker‑controlled or internal destinations. Version 2.0.0-alpha.63 is confirmed affected, and no fixed version is available at the time of reporting. |
|---|
| المصدر | ⚠️ https://github.com/BigSweetPotatoStudio/HyperChat/issues/142 |
|---|
| المستخدم | BruceJin (UID 96538) |
|---|
| ارسال | 10/04/2026 06:34 PM (2 أشهر منذ) |
|---|
| الاعتدال | 27/04/2026 05:38 PM (17 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 359823 [BigSweetPotatoStudio HyperChat حتى 2.0.0-alpha.63 AI Proxy Middleware aiProxyMiddleware.mts fetch baseurl تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|