Homarr Server-Side Request Forgery Vulnerability in tRPC Endpoint Allowing Unauthenticated Port Scanning

A server-side request forgery (SSRF) vulnerability has been identified in Homarr, an open-source dashboard, in versions prior to 1.52.0. The issue resides in a public tRPC endpoint, 'widget.app.ping', which accepts arbitrary URLs and performs server-side requests to those URLs. This functionality allows unauthenticated attackers to make outbound HTTP requests from the Homarr server, facilitating SSRF behavior and enabling a reliable port-scanning primitive. The vulnerability could be exploited to access internal-only services, depending on the deployment.

Impact

Exploitation of this vulnerability allows for server-side request forgery, outbound requests to arbitrary hosts, and port scanning from the Homarr server's network perspective. This could lead to accessing internal services, such as those on localhost or within a private network, and potentially cause side effects if internal endpoints respond to GET requests.

Reproduction

To reproduce this vulnerability, send a request to the 'widget.app.ping' endpoint of the Homarr API without authentication. Include an arbitrary URL in the request. The response will indicate whether the request to the URL was successful, allowing for port scanning by inferring the status of the connection based on the response received.

Remediation

Users can upgrade to Homarr version 1.52.0 or later to address this vulnerability.