Gửi #812176: cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918)thông tin

tiêu đề	cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918)
Mô tả	# Technical Details A critical Time-of-Check to Time-of-Use (TOCTOU) Server-Side Request Forgery (SSRF) architecture bypass exists inside the `GET` logo rendering method in `apps/web/app/api/logo/route.ts` of cal.com. The application fails to truncate automatic HTTP request mapping logic following internal `fetch` API execution, entirely mitigating static SSRF URL validation boundaries explicitly. # Vulnerable Code File: apps/web/app/api/logo/route.ts Method: GET Why: The backend attempts validation securely calling `await validateUrlForSSRF(filteredLogo)`. However, the downstream object execution `await fetch(filteredLogo, { signal: AbortSignal.timeout(10000) })` omits critical static Node redirection blocks explicitly (`redirect: "manual"`), resulting in an architectural vulnerability inherently mapping downstream relocation endpoints inside unmonitored routing scopes automatically. # Reproduction 1. Navigate inwards leveraging configuration permissions natively to update a specific Team avatar parameters. 2. Supply a valid public URL resolving to a generic tracking instance executing an unconditional `HTTP 302` relocation directly addressing `http://x.x.x.x/latest/meta-data/`. 3. The server natively parses the primary URI securely bypassing SSRF IP/CIDR evaluation accurately. 4. The server systematically triggers internal generic `fetch` mechanisms pulling the unmonitored 302 instruction blindly, mapping internally recursively inside protected loops effortlessly and generating a full metadata read via restricted targets successfully bypassing protection structures. # Impact - Full Read Exfiltration over protected Internal Cloud Configuration (AWS/GCP), permitting immediate extraction of explicit backend environment roots equalling rapid infrastructure compromise autonomously. - Automated Internal Service Iteration scanning bridging unauthenticated SSRF vectors towards inner architecture endpoints like Redis, Postgres internally directly.
Nguồn	⚠️ https://gist.github.com/YLChen-007/b3d0b85767b7e346a291933d602fbb3b
Người dùng	Eric-z (UID 95890)
Đệ trình	24/04/2026 13:46 (cách đây 2 các tháng)
Kiểm duyệt	22/05/2026 19:55 (28 days later)
Trạng thái	được chấp nhận
Mục VulDB	365251 [calcom cal.diy đến 4.9.4 Logo API route.ts validateUrlForSSRF nâng cao đặc quyền]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!