Calibre Server-Side Request Forgery Vulnerability in E-Book Reader Web View

A server-side request forgery (SSRF) vulnerability has been identified in Calibre e-book reader versions prior to 9.6.0. This vulnerability exists in the background-image endpoint of the application's web view, where it allows an attacker to send blind GET requests to arbitrary URLs. As a result, information can be exfiltrated from the e-book sandbox. The vulnerability arises because the background-image endpoint can display images from external URLs, enabling scripts in the sandboxed e-book context to access outside resources. This could be exploited to retrieve contents of files included in the e-book, leveraging a path traversal vulnerability, without the user's knowledge or consent.

Impact

Exploitation of this vulnerability allows for unauthorized data exfiltration from e-book content or the execution of blind requests to local network services.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the background-image endpoint with a URL that the attacker controls. This request can be made from a script running in the sandboxed context of an e-book. The server will then fetch the URL's content and return it, effectively allowing the attacker to exfiltrate data or interact with local network services.

Remediation

Users should update to Calibre version 9.6.0 or later, where this vulnerability has been patched.