| tiêu đề | nextchat <= 2.16.1 Server-Side Request Forgery / SSRF (CWE-918) |
|---|
| Mô tả | # Technical Details
A Server-Side Request Forgery (SSRF) vulnerability allows unauthenticated attackers to execute arbitrary HTTP requests against internal or external networks. The NextChat Next.js proxy route handler (`app/api/proxy.ts`) acts as an open proxy by improperly trusting the `x-base-url` HTTP header to determine the destination URL without any domain validation.
# Vulnerable Code
File: app/api/proxy.ts & app/api/[provider]/[...path]/route.ts
Method: proxyHandler
Why: When an unrecognized provider is specified in the fallback handler (`app/api/[provider]/...`), it defaults to the standard `proxyHandler`. This handler computes `fetchUrl` by concatenating the user-supplied HTTP header `x-base-url` directly with the path. Since there is no domain whitelisting, passing an internal target (e.g. `http://127.0.0.1`) forces the server to fetch that resource directly.
# Reproduction
1. Establish a running instance of NextChat with its API endpoints exposed.
2. Send an HTTP GET request to the `unknown-provider` proxy route: `http://localhost:3000/api/unknown-provider/get?foo=bar`.
3. In the request, inject the `x-base-url: http://x.x.x.x` (or any other internal resource) HTTP header.
4. The server receives the header, trusts the hostname, and streams the internal metadata response directly back to the external client.
# Impact
Server-Side Request Forgery (SSRF). Attackers can proxy requests to internal network services, circumvent firewalls, access internal metadata (e.g., cloud Instance Metadata Service at `x.x.x.x` to steal temporary AWS cloud credentials), or use the server as an open proxy to attack external domains anonymously.
|
|---|
| Nguồn | ⚠️ https://gist.github.com/YLChen-007/da6b00024f5b7e1d4fa0658c19b77fbf |
|---|
| Người dùng | Eric-b (UID 96354) |
|---|
| Đệ trình | 06/04/2026 05:57 (cách đây 21 ngày) |
|---|
| Kiểm duyệt | 27/04/2026 10:16 (21 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 359779 [ChatGPTNextWeb NextChat đến 2.16.1 route.ts proxyHandler nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|