Payload Server-Side Request Forgery Vulnerability in External File Uploads

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Payload, a headless content management system, in versions prior to 3.75.0. This vulnerability arises in the external file upload feature, where inadequate validation of HTTP redirects allows authenticated attackers to access internal network resources. To be vulnerable, the Payload environment must have at least one collection with upload enabled, and the user must have create access to that collection. Exploitation could enable access to internal services, with the potential to retrieve response content from those services through the application.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal network resources, allowing an authenticated user to retrieve sensitive information from internal services via the application.

Reproduction

The vulnerability can be reproduced by uploading a file through an external URL to a collection that has the upload feature enabled. The uploaded URL should be crafted to include a redirect to an internal service, which can then be accessed through the application, demonstrating the SSRF vulnerability.

Remediation

Users are advised to upgrade to Payload version 3.75.0 or later. If an immediate upgrade is not possible, the vulnerability can be mitigated by disabling external file uploads on the affected collection or by restricting create access to trusted users only.