text-generation-webui Cloud Metadata SSRF Vulnerability in RAG Extensions

A server-side request forgery (SSRF) vulnerability has been identified in the superbooga and superboogav2 RAG extensions of text-generation-webui, prior to version 4.3. These extensions improperly handle user-supplied URLs by fetching them with requests.get() without any validation, such as scheme checks, IP filtering, or hostname allowlisting. This flaw allows attackers to access cloud metadata endpoints, steal IAM credentials, and probe internal services. The exfiltrated content is then sent through the RAG pipeline, making it visible in subsequent LLM responses.

Impact

Exploitation of this vulnerability leads to unauthorized access to cloud metadata, allowing for the theft of IAM credentials. It also enables internal network scanning and data exfiltration. The vulnerability is particularly concerning as text-generation-webui is often deployed on cloud platforms, sometimes with public access via Gradio, and no authentication is required by default.

Reproduction

To reproduce this vulnerability, clone the text-generation-webui repository and enable the superbooga extension. Start the server with the superbooga extension activated. In the 'URL input' tab, enter a URL pointing to a cloud metadata endpoint, such as the one for IAM security credentials. After clicking 'Load data,' the server will fetch the metadata, extract the credentials, and store them in ChromaDB. These credentials can then be accessed through the LLM's responses, demonstrating the vulnerability's impact.

Remediation

Users can update to version 4.3, where this vulnerability has been fixed. For those using earlier versions, the existing '_validate_url()' function from 'modules/web_search' can be imported and applied before fetching URLs to mitigate the issue.