HAPI FHIR Unauthenticated Blind Server-Side Request Forgery Vulnerability in FHIR Validator

A blind server-side request forgery (SSRF) vulnerability has been identified in HAPI FHIR versions prior to 6.9.4. The issue resides in the FHIR Validator HTTP service, specifically within the '/loadIG' endpoint. This endpoint accepts user-supplied URLs via JSON body and makes server-side HTTP requests to those URLs without validating the hostname, scheme, or domain. An unauthenticated attacker with network access to the validator can exploit this vulnerability to probe internal network services, access cloud metadata endpoints, and map network topology through error-based information leakage. The vulnerability is amplified by the default 'explore=true' setting, which triggers multiple outbound HTTP calls with each request, enhancing reconnaissance capabilities.

Impact

Exploitation of this vulnerability allows for internal network probing, access to cloud metadata endpoints, and mapping of network topology through error-based information leakage. The vulnerability also bypasses any domain restrictions via redirects, amplifying reconnaissance efforts by generating multiple outbound requests with each exploited '/loadIG' call.

Reproduction

To reproduce this vulnerability, upload the HAPI FHIR Validator in HTTP server mode. Then, send a POST request to the '/loadIG' endpoint with a JSON body containing a URL that targets an internal network service or a cloud metadata endpoint. The validator will make a server-side HTTP request to the specified URL. If the target is reachable, the response will indicate the endpoint's accessibility. This vulnerability can also be reproduced by hosting a redirect on an allowed domain that points to an internal target, bypassing domain validation.

Remediation

Users are advised to update to HAPI FHIR version 6.9.4 or later, where this vulnerability has been patched.