Postiz Server-Side Request Forgery Vulnerability in Public Stream API Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in the Postiz application, specifically in versions prior to 2.21.5. The issue arises in the '/api/public/stream' endpoint, where the application fails to properly validate URLs after HTTP redirects. While initial URL validation blocks direct access to private or internal hosts, it does not re-check the final destination post-redirect. This flaw allows attackers to send a public HTTPS URL that appears safe, which can then redirect the server's request to an internal resource.

Impact

Exploitation of this vulnerability allows attackers to access internal services not normally reachable from the outside. The server can be made to send requests to private network resources, potentially disclosing sensitive information. The streamed response from these internal requests can also be leaked back to the attacker, further amplifying the risk.

Reproduction

To reproduce this vulnerability, send a request to the '/api/public/stream' endpoint with a public HTTPS URL that redirects to an internal resource. The application will follow the redirect without re-validating the final destination, allowing access to the internal resource.

Remediation

Users are advised to upgrade to Postiz version 2.21.5 or later, where this vulnerability has been patched.