Manager-io Manager Unauthenticated Server-Side Request Forgery Vulnerability

A critical unauthenticated server-side request forgery (SSRF) vulnerability has been identified in the proxy handler component of Manager-io Manager's Desktop and Server editions, affecting versions through 25.7.18.2519. This vulnerability allows attackers to bypass network isolation and access restrictions, potentially leading to unauthorized access to internal services, cloud metadata endpoints, and the exfiltration of sensitive data from isolated network segments.

Impact

Exploitation of this vulnerability can bypass network isolation and firewall rules, allowing access to internal systems and services that are typically shielded from external networks. In cloud environments, it can be used to access metadata endpoints, leading to the leakage of critical credentials and full control over cloud resources. Additionally, it enables the exfiltration of sensitive information from internal systems, such as configuration files and API keys.

Reproduction

The vulnerability can be reproduced by sending a POST request to the proxy endpoint with a specially crafted payload that directs the server to an internal resource or cloud metadata endpoint. The server will follow the redirect, convert the request method to GET, and retrieve the data from the internal target, which can then be accessed by the attacker.

Remediation

Users are advised to upgrade to version 25.7.21.2525.