| Title | sonic https://github.com/go-sonic/sonic 1.1.4 Server-Side Request Forgery |
|---|
| Description | A Server-Side Request Forgery (SSRF) vulnerability exists in the theme fetching functionality of go-sonic/sonic blogging platform. The vulnerability allows an authenticated administrator to make the server send HTTP requests to arbitrary internal or external URLs, and read local files via the `file://` protocol.
1. **SSRF via Theme Fetching API:**
- In the file `service/theme/git_fetcher.go`, the `FetchTheme` function accepts a user-supplied URL and directly passes it to the `git.PlainClone` function without any validation or sanitization.
- The vulnerable code:
```go
func (g gitThemeFetcherImpl) FetchTheme(ctx context.Context, file interface{}) (*dto.ThemeProperty, error) {
gitURL := file.(string) // User-controlled input
// ...
_, err := git.PlainClone(filepath.Join(tempDir, themeDirName), false, &git.CloneOptions{
URL: gitURL, // Directly used without validation
})
```
2. **Exploitation Vectors:**
- **Internal Network Scanning:** Attacker can probe internal services by specifying internal IP addresses
- **Local File Access:** Using `file://` protocol to access local files on the server
- **Cloud Metadata Access:** In cloud environments (AWS/GCP/Azure), attacker can access instance metadata endpoints
- **DNS-based Detection:** Attacker can use DNSLog services to confirm outbound requests
3. **Prerequisites:**
- Valid administrator credentials are required
- The vulnerable endpoint requires authentication via `Admin-Authorization` header |
|---|
| Source | ⚠️ https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ |
|---|
| User | hiro (UID 93548) |
|---|
| Submission | 12/19/2025 09:22 (4 months ago) |
|---|
| Moderation | 01/01/2026 10:38 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 339335 [go-sonic up to 1.1.4 Theme Fetching API git_fetcher.go FetchTheme uri server-side request forgery] |
|---|
| Points | 20 |
|---|