Squidex Server-Side Request Forgery Vulnerability in Asset Upload Feature

A server-side request forgery (SSRF) vulnerability has been identified in Squidex, an open-source headless content management system, prior to version 7.23.0. This vulnerability allows users with asset upload permissions to manipulate the server into fetching arbitrary URLs, including those targeting localhost or private networks, and to save the retrieved data as an asset. The issue arises because the URL upload process does not properly validate or restrict the URLs being accessed, leaving internal resources exposed.

Impact

Exploitation of this vulnerability allows access to localhost or private network resources from the server's context, potentially leading to internal service probing and unauthorized data exfiltration. The vulnerability is particularly critical in environments where users can upload assets via URL, as it could be used to access sensitive information or services running on the local machine or private network.

Reproduction

To reproduce this vulnerability, upload an asset via the Squidex API by sending a POST request to the '/api/apps/{app}/assets' endpoint. Include a URL that points to a local or private network resource in the request. The server will fetch the URL's content and save it as an asset. After the upload, the fetched data can be accessed through the Squidex asset management API, demonstrating that the SSRF vulnerability was successfully exploited.

Remediation

Users can update to Squidex version 7.23.0 or later, where this vulnerability has been fixed. Additionally, for deployments that require asset uploads via URL, it's recommended to review and implement proper SSRF protections.