NocoBase Workflow HTTP Request and Custom Request Action Plugins Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in NocoBase's workflow HTTP request plugin and custom request action plugin, prior to version 2.0.37. These plugins make HTTP requests to user-specified URLs without any SSRF protection, allowing authenticated users to access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 includes a patch for this vulnerability.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network services, cloud metadata endpoints, and localhost, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, an authenticated user can create a workflow that includes an HTTP request node. The URL can be set to a target such as an AWS metadata endpoint. Once the workflow is triggered, the server will fetch the metadata and return it in the execution logs. Alternatively, the vulnerability can be reproduced through a custom request action by sending a request to an internal service on localhost or a private IP.

Remediation

Users can update to NocoBase version 2.0.37 or later, where this vulnerability has been patched.