Squidex Server-Side Request Forgery Vulnerability in Backup Restore Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in Squidex versions prior to 7.23.0. The issue arises in the `RestoreController.PostRestoreJob` endpoint, where administrators can submit arbitrary URLs for downloading backup archives. This URL is retrieved using the 'Backup' HttpClient, lacking any SSRF protection. As a result, a malicious or compromised admin could exploit this to probe internal network services, access cloud metadata endpoints, or conduct internal reconnaissance. The vulnerability is authenticated and limited to admin users, but it poses a significant risk by potentially exposing sensitive internal resources.

Impact

Exploitation of this vulnerability allows an admin to bypass SSRF protections and make unauthorized requests to internal services or cloud metadata endpoints, with the possibility of accessing sensitive information or credentials.

Reproduction

To reproduce this vulnerability, an admin user can send a POST request to the `/api/apps/restore/` endpoint with a JSON payload containing a URL controlled by the attacker. The 'Backup' HttpClient will fetch the URL without any SSRF protections, allowing the attacker to probe internal services or access cloud metadata.

Remediation

Users can update to Squidex version 7.23.0 or later, where this vulnerability has been fixed.