| Titel | ItzCrazyKns Vane 1.12.1 SSRF via Model Provider baseURL |
|---|
| Beschreibung | The POST /api/providers endpoint allows unauthenticated users to register new model providers with an arbitrary baseURL parameter. Upon registration, the server immediately initiates an HTTP request from the server side to ${baseURL}/api/tags (for Ollama-type providers) or similar endpoints for other provider types, without any validation of the target URL. |
|---|
| Quelle | ⚠️ https://github.com/ItzCrazyKns/Vane/issues/1124 |
|---|
| Benutzer | Yu-Bao (UID 96702) |
|---|
| Einreichung | 26.04.2026 04:00 (vor 1 Monat) |
|---|
| Moderieren | 23.05.2026 16:01 (28 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 365336 [ItzCrazyKns Vane bis 1.12.1 Model Provider API route.ts baseURL erweiterte Rechte] |
|---|
| Punkte | 19 |
|---|