Strapi Server-Side Request Forgery Vulnerability in Webhook URL Handling

A server-side request forgery (SSRF) vulnerability has been identified in Strapi versions prior to 4.25.2. The issue arises in the Webhooks settings, where inputting a local domain into the Webhook URL field causes the application to fetch data from itself. This vulnerability allows an attacker to manipulate the server into making requests to internal resources.

Impact

Exploitation of this vulnerability could allow an attacker to access internal services or resources that are not exposed to the public, potentially leading to further exploitation or information disclosure.

Reproduction

To reproduce this vulnerability, navigate to the Webhooks settings in Strapi. Input a local URL, such as 'http://127.0.0.1:80', into the Webhook URL field and click 'Save'. This will trigger a request to the specified URL. Since port 80 is not open, the request will fail. However, if the URL is changed to 'http://127.0.0.1:1337', where Strapi is running, the request will succeed. This demonstrates how the vulnerability can be exploited by sending requests to internal services.

Remediation

Users should update Strapi to version 4.25.2 or later, where this vulnerability has been patched.