제출 #797645: nextchat <= 2.16.1 Server-Side Request Forgery / SSRF (CWE-918)정보

제목	nextchat <= 2.16.1 Server-Side Request Forgery / SSRF (CWE-918)
설명	# Technical Details A Server-Side Request Forgery (SSRF) vulnerability allows unauthenticated attackers to execute arbitrary HTTP requests against internal or external networks. The NextChat Next.js proxy route handler (`app/api/proxy.ts`) acts as an open proxy by improperly trusting the `x-base-url` HTTP header to determine the destination URL without any domain validation. # Vulnerable Code File: app/api/proxy.ts & app/api/[provider]/[...path]/route.ts Method: proxyHandler Why: When an unrecognized provider is specified in the fallback handler (`app/api/[provider]/...`), it defaults to the standard `proxyHandler`. This handler computes `fetchUrl` by concatenating the user-supplied HTTP header `x-base-url` directly with the path. Since there is no domain whitelisting, passing an internal target (e.g. `http://127.0.0.1`) forces the server to fetch that resource directly. # Reproduction 1. Establish a running instance of NextChat with its API endpoints exposed. 2. Send an HTTP GET request to the `unknown-provider` proxy route: `http://localhost:3000/api/unknown-provider/get?foo=bar`. 3. In the request, inject the `x-base-url: http://x.x.x.x` (or any other internal resource) HTTP header. 4. The server receives the header, trusts the hostname, and streams the internal metadata response directly back to the external client. # Impact Server-Side Request Forgery (SSRF). Attackers can proxy requests to internal network services, circumvent firewalls, access internal metadata (e.g., cloud Instance Metadata Service at `x.x.x.x` to steal temporary AWS cloud credentials), or use the server as an open proxy to attack external domains anonymously.
원천	⚠️ https://gist.github.com/YLChen-007/da6b00024f5b7e1d4fa0658c19b77fbf
사용자	Eric-b (UID 96354)
제출	2026. 04. 06. AM 05:57 (21 날 ago)
모더레이션	2026. 04. 27. AM 10:16 (21 days later)
상태	수락
VulDB 항목	359779 [ChatGPTNextWeb NextChat 까지 2.16.1 route.ts proxyHandler 권한 상승]
포인트들	20

◂ 이전 개요 다음 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!