HomeBox Blind Server-Side Request Forgery Vulnerability Allowing Internal Service Enumeration

A blind server-side request forgery (SSRF) vulnerability has been identified in HomeBox versions prior to 0.24.0-rc.1. This vulnerability allows authenticated users to send HTTP POST requests to arbitrary URLs without any validation or restrictions on the host, IP address, or port. Although the application does not disclose the response body from the target service, the user interface behavior varies based on the network state of the destination. This discrepancy creates a behavioral side-channel that can be exploited for internal service enumeration.

Impact

Exploitation of this vulnerability creates a server-side request forgery condition, allowing authenticated users to perform internal reconnaissance. The impact includes the ability to conduct internal port scans, enumerate services accessible from the host, identify unexposed internal infrastructure, and potentially reach services shielded by network-level controls, provided they are accessible from the application server.

Remediation

Users are advised to update HomeBox to version 0.24.0-rc.1 or later. After updating, consult the HomeBox documentation on security considerations for notifiers to apply the appropriate security settings. By default, only reserved IPs and Cloud metadata endpoints are blocked. To restrict access to local networks or localhost, additional configuration is required.