Postiz Unauthenticated SSRF Vulnerability in PublicController Allowing Internal Resource Access

A server-side request forgery (SSRF) vulnerability has been identified in Postiz, an AI social media scheduling tool, prior to version 2.21.3. The issue resides in the GET /public/stream endpoint of the PublicController, which accepts a user-supplied URL query parameter and proxies the full HTTP response back to the caller. The endpoint's only validation checks if the URL ends with 'mp4', a check that can be easily bypassed. This vulnerability allows an unauthenticated attacker to access internal services, cloud metadata endpoints, and other network-internal resources, as the endpoint requires no authentication and lacks proper SSRF protections.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network resources and cloud metadata, potentially leading to theft of sensitive information such as cloud credentials. This could result in a full compromise of the affected cloud account. Additionally, the vulnerability could be exploited to read local files, if supported by the fetch implementation.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /public/stream endpoint with a URL parameter that points to an internal resource or cloud metadata endpoint, appended with a fragment or query parameter that includes '.mp4'. The response will include the full content of the proxied resource, demonstrating the SSRF exploitation.

Remediation

Users are advised to upgrade to Postiz version 2.21.3 or later, and to apply the existing 'IsSafeWebhookUrl' validation logic to the stream endpoint to prevent SSRF exploitation.