| शीर्षक | ChatGPTNextWeb NextChat 2.16.1 Permissive CORS Wildcard Policy |
|---|
| विवरण | NextChat configures its Next.js application to attach maximally permissive CORS response headers to every API endpoint under the /api/* path prefix. The configuration in next.config.mjs (lines 38-63) sets.This configuration allows any website on the internet to make cross-origin requests to all NextChat API endpoints. Because Access-Control-Allow-Headers: * permits custom headers, attacker-controlled JavaScript can set the x-base-url header, which the proxy endpoint (/api/[provider]/[...path]/route.ts) uses to determine the server-side fetch destination. This directly enables cross-origin SSRF attacks. |
|---|
| स्रोत | ⚠️ https://github.com/ChatGPTNextWeb/NextChat/issues/6756 |
|---|
| उपयोगकर्ता | Yu_Bao (UID 89348) |
|---|
| सबमिशन | 17/04/2026 07:19 AM (2 महीनों पहले) |
|---|
| संयम | 01/05/2026 06:34 PM (14 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360755 [ChatGPTNextWeb NextChat तक 2.16.1 API Endpoint Next.js अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|