Nginx UI Server-Side Request Forgery Vulnerability in Proxy Middleware

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Nginx UI versions through 2.3.4. This issue allows an authenticated user to create a cluster node that points to an arbitrary internal URL. By sending API requests with the X-Node-ID header, the Proxy middleware forwards these requests to the specified internal address. This bypasses network segmentation, granting access to services bound to localhost or internal networks.

Impact

Exploitation of this vulnerability allows authenticated users to access internal services on localhost or private networks, bypassing network segmentation and firewalls. This could also be used to access cloud metadata endpoints to steal IAM credentials, port-scan internal networks, or trigger internal-only njs endpoints to escalate privileges.

Reproduction

To reproduce this vulnerability, an authenticated user can follow these steps: 1. Access the Nginx UI API settings to retrieve the node_secret. 2. Create a cluster node via the API that points to an internal URL, such as a localhost service. 3. Send an API request with the X-Node-ID header set to the ID of the newly created node. The request will be forwarded to the specified internal address, demonstrating the SSRF vulnerability.