Submit #812176: cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918)info

Titlecal.com <= v4.9.4 Server-Side Request Forgery (CWE-918)
Description# Technical Details A critical Time-of-Check to Time-of-Use (TOCTOU) Server-Side Request Forgery (SSRF) architecture bypass exists inside the `GET` logo rendering method in `apps/web/app/api/logo/route.ts` of cal.com. The application fails to truncate automatic HTTP request mapping logic following internal `fetch` API execution, entirely mitigating static SSRF URL validation boundaries explicitly. # Vulnerable Code File: apps/web/app/api/logo/route.ts Method: GET Why: The backend attempts validation securely calling `await validateUrlForSSRF(filteredLogo)`. However, the downstream object execution `await fetch(filteredLogo, { signal: AbortSignal.timeout(10000) })` omits critical static Node redirection blocks explicitly (`redirect: "manual"`), resulting in an architectural vulnerability inherently mapping downstream relocation endpoints inside unmonitored routing scopes automatically. # Reproduction 1. Navigate inwards leveraging configuration permissions natively to update a specific Team avatar parameters. 2. Supply a valid public URL resolving to a generic tracking instance executing an unconditional `HTTP 302` relocation directly addressing `http://x.x.x.x/latest/meta-data/`. 3. The server natively parses the primary URI securely bypassing SSRF IP/CIDR evaluation accurately. 4. The server systematically triggers internal generic `fetch` mechanisms pulling the unmonitored 302 instruction blindly, mapping internally recursively inside protected loops effortlessly and generating a full metadata read via restricted targets successfully bypassing protection structures. # Impact - Full Read Exfiltration over protected Internal Cloud Configuration (AWS/GCP), permitting immediate extraction of explicit backend environment roots equalling rapid infrastructure compromise autonomously. - Automated Internal Service Iteration scanning bridging unauthenticated SSRF vectors towards inner architecture endpoints like Redis, Postgres internally directly.
Source⚠️ https://gist.github.com/YLChen-007/b3d0b85767b7e346a291933d602fbb3b
User
 Eric-z (UID 95890)
Submission04/24/2026 13:46 (3 months ago)
Moderation05/22/2026 19:55 (28 days later)
StatusAccepted
VulDB entry365251 [calcom cal.diy up to 4.9.4 Logo API route.ts validateUrlForSSRF server-side request forgery]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!