जमा करें #812176: cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918)जानकारी

शीर्षक	cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918)
विवरण	# Technical Details A critical Time-of-Check to Time-of-Use (TOCTOU) Server-Side Request Forgery (SSRF) architecture bypass exists inside the `GET` logo rendering method in `apps/web/app/api/logo/route.ts` of cal.com. The application fails to truncate automatic HTTP request mapping logic following internal `fetch` API execution, entirely mitigating static SSRF URL validation boundaries explicitly. # Vulnerable Code File: apps/web/app/api/logo/route.ts Method: GET Why: The backend attempts validation securely calling `await validateUrlForSSRF(filteredLogo)`. However, the downstream object execution `await fetch(filteredLogo, { signal: AbortSignal.timeout(10000) })` omits critical static Node redirection blocks explicitly (`redirect: "manual"`), resulting in an architectural vulnerability inherently mapping downstream relocation endpoints inside unmonitored routing scopes automatically. # Reproduction 1. Navigate inwards leveraging configuration permissions natively to update a specific Team avatar parameters. 2. Supply a valid public URL resolving to a generic tracking instance executing an unconditional `HTTP 302` relocation directly addressing `http://x.x.x.x/latest/meta-data/`. 3. The server natively parses the primary URI securely bypassing SSRF IP/CIDR evaluation accurately. 4. The server systematically triggers internal generic `fetch` mechanisms pulling the unmonitored 302 instruction blindly, mapping internally recursively inside protected loops effortlessly and generating a full metadata read via restricted targets successfully bypassing protection structures. # Impact - Full Read Exfiltration over protected Internal Cloud Configuration (AWS/GCP), permitting immediate extraction of explicit backend environment roots equalling rapid infrastructure compromise autonomously. - Automated Internal Service Iteration scanning bridging unauthenticated SSRF vectors towards inner architecture endpoints like Redis, Postgres internally directly.
स्रोत	⚠️ https://gist.github.com/YLChen-007/b3d0b85767b7e346a291933d602fbb3b
उपयोगकर्ता	Eric-z (UID 95890)
सबमिशन	24/04/2026 01:46 PM (1 महीना पहले)
संयम	22/05/2026 07:55 PM (28 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	365251 [calcom cal.diy तक 4.9.4 Logo API route.ts validateUrlForSSRF अधिकार वृद्धि]
अंक	20

◂ पिछला सिंहावलोकन अगला ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!