AliasVault Server-Side Request Forgery Vulnerability in Favicon Extraction

A server-side request forgery (SSRF) vulnerability has been identified in the AliasVault API, specifically in versions 0.23.0 and prior. This vulnerability arises within the favicon extraction feature, which fetches a user-supplied URL, parses the HTML response, and follows links to icons. While the initial URL is validated to permit only HTTP and HTTPS protocols on default ports, the extractor automatically follows redirects without restriction, allowing requests to loopback or internal IP ranges. An authenticated, low-privileged user could exploit this to induce the server to make HTTP or HTTPS requests to arbitrary internal hosts and non-default ports. If the target host provides a favicon or any valid image, the extracted response is returned in Base64 format. Even in the absence of data, timing and error responses can be manipulated to map internal services. This vulnerability is present only in self-hosted AliasVault instances accessible from the public internet with public user registration enabled. Private deployments without public sign-ups are not directly exploitable.

Impact

Exploitation allows authenticated users to make the server send requests to internal networks or loopback addresses, potentially accessing and exfiltrating image data from those locations. Additionally, the timing and error responses can be used for limited reconnaissance of internal services.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can use the favicon extraction feature by providing a URL that redirects to a favicon or image on an internal server or loopback address. The extractor will fetch the image and return it in Base64 format, exploiting the SSRF vulnerability.

Remediation

Users are advised to upgrade to AliasVault version 0.23.1 or later, which patches this vulnerability by restricting favicon extraction to public IP ranges and disallowing redirects to loopback or local IPs. For self-hosted instances, public account registration can be disabled to reduce exposure.