Postiz Webhook Creation Endpoint Blind SSRF Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in Postiz, an AI social media scheduling tool, prior to version 2.21.4. The issue arises in the webhook creation endpoint, POST /webhooks/, which uses a data transfer object (DTO) that only performs basic URL format validation. This oversight allows internal or private network addresses to be used, creating a blind SSRF vector when the stored webhook URL is fetched and executed without proper validation. The vulnerability has been patched in version 2.21.4.

Impact

Exploitation of this vulnerability allows for blind SSRF against internal services. The orchestrator fetches the stored webhook URL without runtime validation, enabling interaction with internal services or access to cloud metadata on platforms like AWS, GCP, or Azure.

Reproduction

To reproduce this vulnerability, first create a webhook pointing to an internal service using the POST /webhooks/ endpoint. The URL will be accepted despite being internal, as the validation only checks for correct format. Once the webhook is created, publish a post through the Postiz interface or API. This will trigger the webhook, sending a POST request to the internal URL with the serialized post data.

Remediation

Users are advised to upgrade to Postiz version 2.21.4 or later, where this vulnerability has been addressed.