New API Blind and Full-Read Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in New API versions through 0.11.9-alpha.1. The issue arises because the SSRF protection, which was introduced in version 0.9.0.5 and strengthened in 0.9.6, fails to block the address 0.0.0.0. This oversight allows regular users with a valid API token to send requests to certain endpoints, bypassing the private-IP filter and causing the server to make HTTP requests to localhost. When the request is processed through an AWS/Bedrock Claude adaptor, the fetched content is integrated into the model response, escalating the vulnerability to a full-read SSRF.

Impact

Exploitation of this vulnerability allows authenticated users to bypass existing SSRF mitigations, probe internal services on the localhost, and exfiltrate internal content through the model's response, such as images, PDFs, or text.

Reproduction

To reproduce this vulnerability, a regular user account with a valid API token is required. First, send a POST request to the '/v1/chat/completions' endpoint with '0.0.0.0' as the image URL host. The server will attempt to connect to '0.0.0.0' on an allowed port, bypassing the private IP filter. If the request is then routed through an AWS/Bedrock Claude adaptor, the model will return any content fetched from the internal resource, confirming the exploitation of the SSRF vulnerability.

Remediation

Users are advised to update to a version that addresses this vulnerability. As of now, no patched version is available.