Postiz SSRF Vulnerability in Upload-from-URL Endpoint Allows Internal Resource Access

A server-side request forgery (SSRF) vulnerability has been identified in Postiz, an AI social media scheduling tool, prior to version 2.21.3. The issue arises in the POST /public/v1/upload-from-url endpoint, which accepts user-supplied URLs and fetches them server-side using axios.get(), lacking proper SSRF protections. The only validation implemented is a file extension check for image formats, which can be easily bypassed. This vulnerability allows authenticated API users to access internal network resources, cloud instance metadata, and other internal services. The fetched data is uploaded to storage and returned to the user. The vulnerability has been patched in version 2.21.3.

Impact

Exploitation of this vulnerability allows authenticated API users to access internal network services and cloud metadata, potentially leading to unauthorized data access or exfiltration. In cloud environments, this could include stealing IAM credentials, which may result in full cloud infrastructure compromise. The vulnerability also enables scanning of internal networks for accessible services, databases, and administrative interfaces.

Reproduction

To reproduce this vulnerability, an authenticated API user can send a POST request to the /public/v1/upload-from-url endpoint with a URL pointing to an internal resource or cloud metadata endpoint, such as AWS instance metadata. The response will include a download URL for the fetched data, which can be used to access the exfiltrated information.

Remediation

Users are advised to upgrade to Postiz version 2.21.3 or later. For developers, it is recommended to apply the existing IsSafeWebhookUrl validator or equivalent SSRF protection to the UploadDto, and to enforce scheme validation and DNS resolution checks to prevent DNS rebinding attacks.