Vexa Webhook Feature Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Vexa meeting bot API and transcription API, prior to version 0.10.0-260419-1910. The issue arises from the webhook feature, which allows authenticated users to set a URL that receives HTTP POST requests after meetings conclude. The application lacks validation on the provided webhook URL, enabling authenticated attackers to redirect requests to internal services, cloud metadata endpoints, or localhost services, potentially leading to unauthorized access or data theft.

Impact

Exploitation of this vulnerability allows authenticated users to make the server send HTTP requests to internal services, cloud metadata endpoints, or localhost, bypassing security boundaries and potentially accessing sensitive data or services.

Reproduction

To reproduce this vulnerability, clone the Vexa repository and start the application with Docker. After initializing the database, create a test user and obtain an API token. Set a malicious webhook URL that points to an HTTP listener on the host machine. Once the webhook is set, create a test meeting, which will trigger the webhook and demonstrate the SSRF vulnerability by showing the HTTP request on the listener.

Remediation

Users should update to Vexa version 0.10.0-260419-1910 or later, where this vulnerability has been patched.