FastGPT Cloud Metadata Endpoint SSRF Vulnerability Bypass

A server-side request forgery (SSRF) vulnerability has been identified in FastGPT versions through 4.14.11. The issue arises in the 'isInternalAddress()' function, which is supposed to block access to cloud metadata endpoints. However, this block can be bypassed using at least seven different URL encoding techniques that evade the hardcoded blocklist while still resolving to the same metadata service. Furthermore, the function's default settings allow these bypasses to reach the metadata endpoint without proper validation. As a result, attackers can access sensitive cloud metadata, including IAM credentials and instance information.

Impact

Exploitation of this vulnerability allows for unauthorized access to cloud metadata services, leading to the theft of sensitive information such as AWS IAM credentials, GCP service account tokens, or Azure instance metadata. This access could be used for lateral movement, data access, or privilege escalation within the cloud environment.

Reproduction

To reproduce this vulnerability, send a request to the FastGPT 'httpTools' API endpoint with a URL that points to a cloud metadata service, using one of the bypass techniques that circumvent the application's URL blocklist. The 'isInternalAddress()' function will incorrectly allow the request to proceed, bypassing the intended protection.

Remediation

Developers can patch this vulnerability by updating the 'isInternalAddress()' function to resolve hostnames to IP addresses before checking against the blocklist. Alternatively, the 'CHECK_INTERNAL_IP' environment variable can be set to 'true' to enable private IP checks by default.