zyddnys manga-image-translator Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability exists in zyddnys manga-image-translator versions up to beta-0.3. The vulnerability is located in the Translate Endpoints component, specifically within the 'to_pil_image' function of 'manga-image-translator-main/server/request_extraction.py'. This vulnerability allows attackers to make arbitrary HTTP requests from the server to internal or external resources by submitting a malicious URL through the watch monitoring functionality. The issue can be exploited remotely, and the project has been notified of the vulnerability but has not yet responded.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make requests from the server to other internal or external services, potentially leading to unauthorized access or disclosure of information.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/translate/bytes' endpoint with a malicious URL in the 'image' field. This can be done using a tool like 'requests' in Python. The server will then fetch the URL's content, demonstrating the SSRF vulnerability. This vulnerability can also be reproduced through the '/translate/json' endpoint, as well as the '/translate/image/stream' and '/translate/json/stream' endpoints.