Squidex Server-Side Request Forgery Vulnerability in Jint HTTP Client

A Server-Side Request Forgery (SSRF) vulnerability exists in Squidex versions prior to 7.23.0. The issue arises from the Jint HTTP client used in the scripting engine, which lacks proper SSRF protection. This vulnerability allows authenticated users with low privileges, such as schema editing rights, to manipulate the server into making arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. Such actions could access internal services and cloud metadata endpoints, potentially exposing credentials and facilitating lateral movement within the cloud environment.

Impact

Exploitation of this vulnerability allows for unauthorized outbound HTTP requests from the server, which can be directed to internal services or external attacker-controlled endpoints. This could lead to exposure of sensitive data, such as cloud metadata and associated credentials, especially on cloud-hosted deployments. On-premise deployments could be exploited for internal network reconnaissance.

Reproduction

To reproduce this vulnerability, an authenticated user with schema editing permissions can modify a schema Query Script to include a request function that targets an external URL. Once the script is saved and published, it will execute on every content API request, sending the server-side request without any SSRF protections. This can be verified by monitoring the targeted endpoint for the received request.

Remediation

Users can update to Squidex version 7.23.0 or later, where this vulnerability has been fixed.