NucleoidAI Nucleoid Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in NucleoidAI Nucleoid versions through 0.7.10. The issue arises in the outbound request handler component, specifically within the 'extension.apply' function in 'src/cluster.ts'. The vulnerability allows attackers to manipulate request parameters such as 'ip', 'port', and 'path' to coerce the server into making arbitrary HTTP requests to internal or external hosts. This could include accessing cloud metadata services or internal applications and databases.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services, cloud metadata endpoints, and sensitive information. It could also allow for internal network reconnaissance, open proxy abuse, and resource exhaustion by forwarding arbitrary traffic.

Reproduction

To reproduce this vulnerability, an attacker must influence the values returned by 'extension.apply(req)' to include malicious 'ip', 'port', and 'path' parameters. This can be done by manipulating request data such as query parameters, request bodies, or headers. Once the values are controlled, the application will make outbound requests to the specified targets without proper validation, allowing access to internal services or cloud metadata.