request-filtering-agent SSRF Bypass Vulnerability via HTTPS Requests to 127.0.0.1

A vulnerability exists in request-filtering-agent versions 1.x.x and earlier, where HTTPS requests to 127.0.0.1 bypass the IP address filtering intended to block access to private and reserved IP addresses. While HTTP requests to the same address are correctly blocked, this flaw allows potential access to internal HTTPS services running on localhost, undermining the library's server-side request forgery (SSRF) protection. The issue is particularly concerning when applications accept user-controlled URLs and rely solely on network-level restrictions for internal services.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal HTTPS services on localhost, bypassing the application's SSRF protections. This could allow for further attacks, especially if the accessed services are sensitive or can be exploited in other ways.

Reproduction

The vulnerability can be reproduced by sending HTTPS requests to 127.0.0.1 using request-filtering-agent versions prior to 2.0.0. This can be done by installing the vulnerable version of request-filtering-agent, starting a test server that listens for HTTPS requests, and then sending a request to 127.0.0.1 over HTTPS. The request will be incorrectly allowed through, demonstrating the bypass of the IP filtering mechanism.

Remediation

Users are advised to upgrade request-filtering-agent to version 2.0.0 or later, where this vulnerability has been fixed.