जमा करें #844659: AstrBotDevs AstrBot 4.25.2 Server-Side Request Forgery (CWE-918)जानकारी

शीर्षकAstrBotDevs AstrBot 4.25.2 Server-Side Request Forgery (CWE-918)
विवरण# Technical Details An authenticated SSRF exists in the plugin market registry flow implemented by `get_online_plugins()`, `_build_registry_source()`, and `_fetch_remote_md5()` in `astrbot/dashboard/routes/plugin.py` of AstrBot. The application fails to validate attacker-supplied registry URLs before issuing server-side requests. The `custom_registry` query parameter is used directly as a fetch target and also used to derive a second `-md5.json` request. There is no allowlist, private-network filtering, scheme restriction, or redirect validation. # Vulnerable Code File: `astrbot/dashboard/routes/plugin.py` Method: `get_online_plugins()` Why: The handler reads `custom_registry` from the request, passes it into `_build_registry_source()`, and performs `session.get(url)` on the resulting attacker-controlled URL. `_fetch_remote_md5()` makes a second request to a derived attacker-influenced MD5 URL, creating an additional SSRF sink. # Reproduction 1. Start a reachable HTTP listener that serves `/market-custom.json` and `/market-custom-md5.json`. 2. Authenticate to the AstrBot dashboard. 3. Send `GET /api/plugin/market_list?custom_registry=http://127.0.0.1:19001/market-custom.json&force_refresh=true`. 4. Observe the AstrBot server contacting the listener for both `/market-custom.json` and `/market-custom-md5.json`. 5. Repeat without `custom_registry` and confirm the observer receives no callbacks. # Impact - Authenticated users can force AstrBot to make requests to loopback, RFC1918, or otherwise internal HTTP services reachable from the host. - The issue can be used for internal network probing, metadata access attempts, and interaction with internal-only management interfaces.
स्रोत⚠️ https://gist.github.com/YLChen-007/cd162554554c273a3a7c0330aa02f3f0
उपयोगकर्ता
 Eric-a (UID 96353)
सबमिशन01/06/2026 10:19 AM (1 महीना पहले)
संयम11/07/2026 02:42 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि377807 [AstrBotDevs AstrBot तक 4.25.2 market_list Endpoint plugin.py get_online_plugins custom_registry अधिकार वृद्धि]
अंक20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!