PinchTab Server-Side Request Forgery Vulnerability in Task Scheduler Webhook

A server-side request forgery (SSRF) vulnerability has been identified in PinchTab version 0.8.3. This issue arises in the optional task scheduler's webhook delivery process. When a task is submitted with a user-controlled callback URL, the scheduler sends an outbound HTTP POST request to that URL once the task reaches a terminal state. The vulnerability exists because the webhook validation only checked the URL scheme, allowing loopback, private, link-local, and other non-public destinations. Additionally, the default HTTP client behavior was used, which follows redirects and does not pin destinations to validated IPs. As a result, this version allows blind SSRF from the PinchTab server to attacker-chosen HTTP or HTTPS targets reachable from the server.

Impact

Exploitation of this vulnerability allows blind SSRF from the PinchTab server to attacker-controlled HTTP or HTTPS endpoints. While the default deployment model is local-first and user-controlled, the vulnerability can be exploited if the scheduler is enabled and reachable, particularly in token-protected deployments where the attacker has access to the master API token.

Reproduction

To reproduce this vulnerability, PinchTab version 0.8.3 must be used with the scheduler enabled. After submitting a task with an attacker-controlled callback URL, the webhook will be dispatched to that URL when the task reaches a terminal state. This can be verified by checking the inbound requests on the attacker-controlled receiver, which will log the POST request originating from the PinchTab server.

Remediation

Users can upgrade to PinchTab version 0.8.4, which addresses this vulnerability by implementing proper validation for callback URLs, rejecting non-public IP ranges, pinning deliveries to validated IPs, disabling redirect following, and validating callback URLs during task submission.