YunaiV YuDao Cloud Server-Side Request Forgery Vulnerability in Business Process Management HTTP Triggers

A critical server-side request forgery (SSRF) vulnerability exists in YunaiV YuDao Cloud versions prior to 2025.11. This vulnerability affects the Business Process Management (BPM) component, specifically the BpmHttpCallbackTrigger and BpmSyncHttpRequestTrigger functions. The issue arises from the lack of validation and sanitization of user-provided URLs, headers, and body in HTTP request configurations. As a result, authenticated users with BPM process design permissions can manipulate these arguments to make arbitrary HTTP requests from the server, potentially exposing internal network resources or accessing sensitive information from cloud metadata services.

Impact

Exploitation of this vulnerability allows authenticated attackers with BPM process design permissions to access internal network resources, extract sensitive information from cloud provider metadata services (such as AWS IAM credentials), perform port scanning on internal networks, exfiltrate data to external servers, and potentially execute remote code if other vulnerabilities can be exploited.

Reproduction

To reproduce this vulnerability, an authenticated user with BPM process design permissions can create a BPM process that includes an HTTP trigger node. The trigger can be configured with a malicious URL that targets internal network resources or cloud metadata services. Once the process is deployed and executed, the server will make the HTTP request to the specified URL, bypassing any security controls.

Remediation

It is recommended to implement strict URL validation to ensure that only properly formatted URLs are accepted, restrict protocols to HTTP and HTTPS, and block access to internal network ranges. Additionally, whitelisting allowed domains for HTTP requests, sanitizing URLs to remove traversal characters, and logging all HTTP requests made by BPM triggers can help mitigate this vulnerability.