| Titel | assafelovic gpt-researcher 3.4.3 Unauthenticated Server-Side Request Forgery (SSRF) |
|---|
| Beschreibung | GPT Researcher v3.4.3 and earlier versions are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) via the WebSocket /ws endpoint. An attacker can supply arbitrary URLs in the source_urls parameter of a WebSocket start command, causing the server to make HTTP requests to attacker-specified internal or external hosts without any URL validation, scheme restriction, or IP address filtering. The scraped content is returned to the attacker through the research report output, making this a full-read SSRF. No authentication is required to exploit this vulnerability. |
|---|
| Quelle | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1696 |
|---|
| Benutzer | Yu-Bao (UID 96702) |
|---|
| Einreichung | 23.03.2026 04:19 (vor 1 Monat) |
|---|
| Moderieren | 05.04.2026 21:13 (14 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 355421 [assafelovic gpt-researcher bis 3.4.3 ws Endpoint source_urls erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|