| Title | bigsk1 openai-realtime-ui Commit 188ccde27fdf3d8fab8da81f3893468f53b2797c Server-Side Request Forgery |
|---|
| Description | A server-side request forgery (SSRF) vulnerability (CWE-918) has been identified in openai-realtime-ui, specifically within the server.js component. The /api/proxy endpoint accepts a user-supplied url query parameter and passes it directly to fetch without validation or allowlisting. An attacker with network access to the exposed HTTP interface can exploit this to make arbitrary outbound requests from the server, potentially accessing internal services, cloud metadata endpoints, or other restricted resources. This can lead to unauthorized information disclosure and, depending on the internal environment, further compromise. Versions up to and including the latest commit (188ccde) are confirmed affected. |
|---|
| Source | ⚠️ https://github.com/bigsk1/openai-realtime-ui/issues/1 |
|---|
| User | BruceJin (UID 96538) |
|---|
| Submission | 03/24/2026 10:46 (4 months ago) |
|---|
| Moderation | 04/08/2026 16:37 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356242 [bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c API Proxy Endpoint server.js Query server-side request forgery] |
|---|
| Points | 20 |
|---|