إرسال #812176: cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918)المعلومات

عنوان	cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918)
الوصف	# Technical Details A critical Time-of-Check to Time-of-Use (TOCTOU) Server-Side Request Forgery (SSRF) architecture bypass exists inside the `GET` logo rendering method in `apps/web/app/api/logo/route.ts` of cal.com. The application fails to truncate automatic HTTP request mapping logic following internal `fetch` API execution, entirely mitigating static SSRF URL validation boundaries explicitly. # Vulnerable Code File: apps/web/app/api/logo/route.ts Method: GET Why: The backend attempts validation securely calling `await validateUrlForSSRF(filteredLogo)`. However, the downstream object execution `await fetch(filteredLogo, { signal: AbortSignal.timeout(10000) })` omits critical static Node redirection blocks explicitly (`redirect: "manual"`), resulting in an architectural vulnerability inherently mapping downstream relocation endpoints inside unmonitored routing scopes automatically. # Reproduction 1. Navigate inwards leveraging configuration permissions natively to update a specific Team avatar parameters. 2. Supply a valid public URL resolving to a generic tracking instance executing an unconditional `HTTP 302` relocation directly addressing `http://x.x.x.x/latest/meta-data/`. 3. The server natively parses the primary URI securely bypassing SSRF IP/CIDR evaluation accurately. 4. The server systematically triggers internal generic `fetch` mechanisms pulling the unmonitored 302 instruction blindly, mapping internally recursively inside protected loops effortlessly and generating a full metadata read via restricted targets successfully bypassing protection structures. # Impact - Full Read Exfiltration over protected Internal Cloud Configuration (AWS/GCP), permitting immediate extraction of explicit backend environment roots equalling rapid infrastructure compromise autonomously. - Automated Internal Service Iteration scanning bridging unauthenticated SSRF vectors towards inner architecture endpoints like Redis, Postgres internally directly.
المصدر	⚠️ https://gist.github.com/YLChen-007/b3d0b85767b7e346a291933d602fbb3b
المستخدم	Eric-z (UID 95890)
ارسال	24/04/2026 01:46 PM (1 شهر منذ)
الاعتدال	22/05/2026 07:55 PM (28 days later)
الحالة	تمت الموافقة
إدخال VulDB	365251 [calcom cal.diy حتى 4.9.4 Logo API route.ts validateUrlForSSRF تجاوز الصلاحيات]
النقاط	20

التالي ▸نظرة عامة ◂ السابق

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!