FastGPT Server-Side Request Forgery Vulnerability in Laf Workflow Module

A server-side request forgery (SSRF) vulnerability has been identified in FastGPT versions prior to 4.14.17. This vulnerability allows unauthenticated attackers or authenticated users with application editing privileges to send arbitrary HTTP requests to internal network addresses. The issue arises in the 'lafModule' workflow node, where the 'fetchData' function uses axios to retrieve user-specified URLs without proper validation against the application's internal network blocklist. This oversight bypasses existing SSRF protections, enabling potential exploitation of internal services.

Impact

Exploitation of this vulnerability allows for server-side request forgery, with the potential to access and interact with internal services such as databases, Redis, Minio, and other microservices. This could lead to unauthorized data access, modification of internal system states, or exhaustion of internal resources.

Reproduction

To reproduce this vulnerability, log into FastGPT as a standard user or an app owner. Intercept an application creation or workflow modification API request to include a 'lafModule' node. Alternatively, construct a payload targeting the '/v1/chat/completions' or '/api/core/chat/chatTest' interface where node injection is permitted. Configure the 'lafModule' node with a 'system_httpReqUrl' pointing to an internal server URL, such as a Minio health check endpoint or a Docker metadata endpoint. Trigger the workflow node computation, and the FastGPT backend will make a direct POST request to the specified internal address, returning the response via the workflow node's output edges.

Remediation

Users are advised to update FastGPT to version 4.14.17 or later, where this vulnerability has been patched.