| Titel | bigsk1 openai-realtime-ui Commit 188ccde27fdf3d8fab8da81f3893468f53b2797c Server-Side Request Forgery |
|---|
| Beschreibung | A server-side request forgery (SSRF) vulnerability (CWE-918) has been identified in openai-realtime-ui, specifically within the server.js component. The /api/proxy endpoint accepts a user-supplied url query parameter and passes it directly to fetch without validation or allowlisting. An attacker with network access to the exposed HTTP interface can exploit this to make arbitrary outbound requests from the server, potentially accessing internal services, cloud metadata endpoints, or other restricted resources. This can lead to unauthorized information disclosure and, depending on the internal environment, further compromise. Versions up to and including the latest commit (188ccde) are confirmed affected. |
|---|
| Quelle | ⚠️ https://github.com/bigsk1/openai-realtime-ui/issues/1 |
|---|
| Benutzer | BruceJin (UID 96538) |
|---|
| Einreichung | 24.03.2026 10:46 (vor 17 Tagen) |
|---|
| Moderieren | 08.04.2026 16:37 (15 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 356242 [bigsk1 openai-realtime-ui bis 188ccde27fdf3d8fab8da81f3893468f53b2797c API Proxy Endpoint server.js Abfrage erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|