Gửi #797646: nextchat <= 2.16.1 Server-Side Request Forgery (CWE-918) / Path Traversal (CWE-22)thông tin

tiêu đề	nextchat <= 2.16.1 Server-Side Request Forgery (CWE-918) / Path Traversal (CWE-22)
Mô tả	# Technical Details A Server-Side Request Forgery (SSRF) vulnerability exists in the NextChat API endpoint. The application improperly passes the unvalidated user-controlled `id` query parameter directly into a backend fetch request targeting the Cloudflare KV API. By using directory traversal payloads (`../`), an attacker can escape the restricted KV namespace directory and invoke arbitrary Cloudflare API endpoints using the server's highly privileged `CLOUDFLARE_KV_API_KEY`. # Vulnerable Code File: app/api/artifacts/route.ts Method: GET handler Why: The route acts as a proxy to retrieve artifacts from a Cloudflare KV store. It blindly concatenates the `id` from `searchParams` into a URL (`${storeUrl()}/values/${id}`). Because `fetch()` inherently performs URL path normalization, a traversal payload like `../../..` causes fetch to step completely outside the KV namespace scope and resolve to the Cloudflare API root. Compounding the issue, the `storeHeaders()` function always injects the `Authorization: Bearer cloudflareKVApiKey` token into these requests. # Reproduction 1. Ensure the target instance is configured with Cloudflare KV (which attaches the KV API keys). 2. The attacker crafts a request to the `GET /api/artifacts` endpoint. 3. The attacker supplies exactly 7 traversal segments in the `id` parameter: `?id=../../../../../../../user/tokens/verify`. 4. The backend `fetch()` resolves the path relative to the hardcoded endpoint, shifting the target execution entirely to the Cloudflare API (`https://api.cloudflare.com/client/v4/user/tokens/verify`) while attaching the server's bearer token. # Impact Critical SSRF & Identity Takeover. The attacker can directly call privileged Cloudflare API endpoints using the `CLOUDFLARE_KV_API_KEY` configured by the administrator. Depending on the token's scope, this could allow full account takeover of the victim's Cloudflare infrastructure, manipulation of DNS settings, reading of other namespaces, or bypassing of proxy protections.
Nguồn	⚠️ https://gist.github.com/YLChen-007/43252d45d75e8bdd2d45136fd6ffe8a5
Người dùng	Eric-b (UID 96354)
Đệ trình	06/04/2026 05:57 (cách đây 21 ngày)
Kiểm duyệt	27/04/2026 10:16 (21 days later)
Trạng thái	được chấp nhận
Mục VulDB	359780 [ChatGPTNextWeb NextChat đến 2.16.1 Artifacts Endpoint route.ts storeUrl ID nâng cao đặc quyền]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Might our Artificial Intelligence support you?

Check our Alexa App!