whisperX API Server-Side Request Forgery Vulnerability in URL Handling

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the whisperX API, specifically in the FileService.download_from_url() function. This vulnerability exists in versions 0.3.1 through 0.5.0. The issue arises because the function calls requests.get(url) without any prior validation of the URL. Although there is a file extension check, it occurs after the HTTP request has been made, allowing the extension check to be bypassed by appending .mp3 to internal URLs. The vulnerability is exacerbated by the fact that the /speech-to-text-url endpoint is unauthenticated, making it possible for an attacker to exploit this issue remotely.

Impact

Exploitation of this vulnerability allows an attacker to access internal resources or cloud metadata services, potentially leading to unauthorized data exposure. For example, AWS credentials can be accessed by targeting specific metadata URLs. Additionally, the vulnerability could be used to scan internal networks or access services through their APIs, depending on the exploited URL.

Reproduction

To reproduce this vulnerability, send a request to the /speech-to-text-url endpoint with an internal URL that includes a .mp3 extension. The server will process the request, fetch the URL data, and bypass the extension validation, all while the URL handling lacks proper security checks. This can be automated with a script that targets cloud metadata URLs, demonstrating how sensitive information, like AWS credentials, can be leaked.

Remediation

Users can update to whisperX version 0.6.0 or later, where this vulnerability has been fixed. The update includes added validation for URLs before making HTTP requests, ensuring that only safe URLs are processed.