Saloon PHP Library Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Saloon PHP library, prior to version 4.0.0. When constructing request URLs, Saloon combined the connector's base URL with the request endpoint. If the endpoint was a valid absolute URL, it was used as-is, bypassing the base URL. This behavior allowed requests, along with any authentication headers, cookies, or tokens, to be sent to an attacker-controlled host. The vulnerability could be exploited if the endpoint was influenced by user input or configuration, such as redirect URIs or callback URLs, leading to unauthorized access to credentials or other sensitive information on a third-party host.

Impact

Exploitation of this vulnerability allowed for server-side request forgery, where an attacker could manipulate server-side requests to an external server, potentially leading to unauthorized data access or interaction with other services. Additionally, there was a risk of credential leakage to a third-party host.

Remediation

Users are advised to upgrade to Saloon version 4.0.0 or later. For guidance on upgrading from version 3 to 4, please refer to the Saloon upgrade documentation.