Postiz Time-of-Check-Time-of-Use Vulnerability in SSRF Protections

A time-of-check-time-of-use (TOCTOU) vulnerability has been identified in the Postiz AI social media scheduling tool, specifically in versions 2.16.6 prior to 2.21.7. The issue arises from a flaw in the server-side request forgery (SSRF) protections implemented in versions 2.21.4 to 2.21.6. The function 'isSafePublicHttpsUrl()' correctly resolves DNS to validate target IPs, but the subsequent 'fetch()' calls resolve DNS independently. This creates a window of opportunity for an attacker controlling a DNS server to exploit DNS rebinding, redirecting requests to internal network addresses.

Impact

Exploitation of this vulnerability allows an attacker to bypass all SSRF URL validation paths, potentially leading to unauthorized access or interaction with internal services and cloud metadata.

Reproduction

The vulnerability can be reproduced by sending a request to a vulnerable Postiz application version with a URL that is initially validated as safe. However, due to the independent DNS resolution in the 'fetch()' calls, the request can be redirected to an internal address, bypassing the validation.

Remediation

Users are advised to upgrade to Postiz version 2.21.7 or later, where this vulnerability has been patched.