| Title | huimeicloud hmEditor 2.2.3 Server-Side Request Forgery |
|---|
| Description | A server-side request forgery (SSRF) vulnerability has been identified in hmEditor, a product developed by huimeicloud. The application fails to properly validate user-supplied URLs in multiple request handlers, allowing an attacker to make arbitrary HTTP requests from the server. Specifically, the /image-to-base64 endpoint in src/mcp-server.js accepts a url parameter via HTTP POST requests and passes it directly to the client.get() method without sufficient validation or sanitization. Similarly, the src/print.js component passes user-controlled URLs to Puppeteer's page.goto() method. An attacker can exploit this flaw to probe internal network resources, access sensitive metadata endpoints (e.g., cloud instance metadata services), or interact with other internal systems that are not intended to be exposed. The vulnerability exists because the application trusts user-provided input as the destination for outbound HTTP requests and browser navigation operations without implementing an effective allowlist or blocking dangerous destinations such as loopback addresses or private network ranges.
|
|---|
| Source | ⚠️ https://github.com/wing3e/public_exp/issues/11 |
|---|
| User | BigW (UID 96422) |
|---|
| Submission | 03/16/2026 19:53 (21 days ago) |
|---|
| Moderation | 04/01/2026 18:04 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 354701 [huimeicloud hm_editor up to 2.2.3 image-to-base64 Endpoint src/mcp-server.js client.get url server-side request forgery] |
|---|
| Points | 20 |
|---|