| 제목 | Bytedesk <=1.3.9 SSRF |
|---|
| 설명 | The endpoint GET /openrouter/api/v1/models accepts a user-supplied apiUrl parameter and passes it directly to a RestTemplate.exchange() call without validation or allowlist enforcement. An attacker supplies an attacker-controlled URL, causing the server to issue an outbound HTTP request to an arbitrary host. DNS callback logs confirm the SSRF, enabling internal network scanning, cloud metadata access, or credential theft. |
|---|
| 원천 | ⚠️ https://github.com/Bytedesk/bytedesk/issues/20 |
|---|
| 사용자 | ZAST.AI (UID 87884) |
|---|
| 제출 | 2026. 02. 26. AM 07:19 (1 월 ago) |
|---|
| 모더레이션 | 2026. 03. 08. AM 08:20 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 349755 [Bytedesk 까지 1.3.9 SpringAIOpenrouterRestController SpringAIOpenrouterRestService.java getModels apiUrl 권한 상승] |
|---|
| 포인트들 | 19 |
|---|