Submit #802265: BigSweetPotatoStudio HyperChat 2.0.0-alpha.63 Server-Side Request Forgeryinfo

TitleBigSweetPotatoStudio HyperChat 2.0.0-alpha.63 Server-Side Request Forgery
DescriptionA server-side request forgery (SSRF) vulnerability (CWE-918) has been identified in the AI proxy middleware of HyperChat, specifically within packages/core/src/http/aiProxyMiddleware.mts. The HTTP middleware accepts an attacker-controlled baseurl request header, appends the remaining request path, and forwards the request using fetch() without validation or allowlisting. An attacker with network access to the HyperChat HTTP service can coerce the server into making arbitrary outbound HTTP requests to attacker‑controlled or internal destinations. Version 2.0.0-alpha.63 is confirmed affected, and no fixed version is available at the time of reporting.
Source⚠️ https://github.com/BigSweetPotatoStudio/HyperChat/issues/142
User
 BruceJin (UID 96538)
Submission04/10/2026 18:34 (3 months ago)
Moderation04/27/2026 17:38 (17 days later)
StatusAccepted
VulDB entry359823 [BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63 AI Proxy Middleware aiProxyMiddleware.mts fetch baseurl server-side request forgery]
Points20

Do you know our Splunk app?

Download it now for free!