| 제목 | huimeicloud hmEditor 2.2.3 Server-Side Request Forgery |
|---|
| 설명 | A server-side request forgery (SSRF) vulnerability has been identified in hmEditor, a product developed by huimeicloud. The application fails to properly validate user-supplied URLs in multiple request handlers, allowing an attacker to make arbitrary HTTP requests from the server. Specifically, the /image-to-base64 endpoint in src/mcp-server.js accepts a url parameter via HTTP POST requests and passes it directly to the client.get() method without sufficient validation or sanitization. Similarly, the src/print.js component passes user-controlled URLs to Puppeteer's page.goto() method. An attacker can exploit this flaw to probe internal network resources, access sensitive metadata endpoints (e.g., cloud instance metadata services), or interact with other internal systems that are not intended to be exposed. The vulnerability exists because the application trusts user-provided input as the destination for outbound HTTP requests and browser navigation operations without implementing an effective allowlist or blocking dangerous destinations such as loopback addresses or private network ranges.
|
|---|
| 원천 | ⚠️ https://github.com/wing3e/public_exp/issues/11 |
|---|
| 사용자 | BigW (UID 96422) |
|---|
| 제출 | 2026. 03. 16. PM 07:53 (19 날 ago) |
|---|
| 모더레이션 | 2026. 04. 01. PM 06:04 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 354701 [huimeicloud hm_editor 까지 2.2.3 image-to-base64 Endpoint src/mcp-server.js client.get url 권한 상승] |
|---|
| 포인트들 | 20 |
|---|