제출 #797646: nextchat <= 2.16.1 Server-Side Request Forgery (CWE-918) / Path Traversal (CWE-22)정보

제목	nextchat <= 2.16.1 Server-Side Request Forgery (CWE-918) / Path Traversal (CWE-22)
설명	# Technical Details A Server-Side Request Forgery (SSRF) vulnerability exists in the NextChat API endpoint. The application improperly passes the unvalidated user-controlled `id` query parameter directly into a backend fetch request targeting the Cloudflare KV API. By using directory traversal payloads (`../`), an attacker can escape the restricted KV namespace directory and invoke arbitrary Cloudflare API endpoints using the server's highly privileged `CLOUDFLARE_KV_API_KEY`. # Vulnerable Code File: app/api/artifacts/route.ts Method: GET handler Why: The route acts as a proxy to retrieve artifacts from a Cloudflare KV store. It blindly concatenates the `id` from `searchParams` into a URL (`${storeUrl()}/values/${id}`). Because `fetch()` inherently performs URL path normalization, a traversal payload like `../../..` causes fetch to step completely outside the KV namespace scope and resolve to the Cloudflare API root. Compounding the issue, the `storeHeaders()` function always injects the `Authorization: Bearer cloudflareKVApiKey` token into these requests. # Reproduction 1. Ensure the target instance is configured with Cloudflare KV (which attaches the KV API keys). 2. The attacker crafts a request to the `GET /api/artifacts` endpoint. 3. The attacker supplies exactly 7 traversal segments in the `id` parameter: `?id=../../../../../../../user/tokens/verify`. 4. The backend `fetch()` resolves the path relative to the hardcoded endpoint, shifting the target execution entirely to the Cloudflare API (`https://api.cloudflare.com/client/v4/user/tokens/verify`) while attaching the server's bearer token. # Impact Critical SSRF & Identity Takeover. The attacker can directly call privileged Cloudflare API endpoints using the `CLOUDFLARE_KV_API_KEY` configured by the administrator. Depending on the token's scope, this could allow full account takeover of the victim's Cloudflare infrastructure, manipulation of DNS settings, reading of other namespaces, or bypassing of proxy protections.
원천	⚠️ https://gist.github.com/YLChen-007/43252d45d75e8bdd2d45136fd6ffe8a5
사용자	Eric-b (UID 96354)
제출	2026. 04. 06. AM 05:57 (22 날 ago)
모더레이션	2026. 04. 27. AM 10:16 (21 days later)
상태	수락
VulDB 항목	359780 [ChatGPTNextWeb NextChat 까지 2.16.1 Artifacts Endpoint route.ts storeUrl 아이디 권한 상승]
포인트들	20

◂ 이전 개요 다음 ▸

Want to know what is going to be exploited?

We predict KEV entries!