Nuxt OG Image Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Nuxt OG Image module, specifically in versions 6.2.5 and later. The issue arises from an incomplete denylist in the 'isBlockedUrl()' function, which fails to properly validate certain IPv6 addresses and does not re-validate redirects. This vulnerability allows internal IPs to be accessed during the generation of Open Graph images, potentially leaking sensitive information from local services.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where internal services can be accessed and their responses returned as part of the generated Open Graph image. This could lead to the unintentional exposure of sensitive data from internal applications or services.

Reproduction

The vulnerability can be reproduced by using the Nuxt OG Image module to generate an Open Graph image that includes a user-controlled URL. The 'isBlockedUrl()' function will incorrectly allow certain IPv6-mapped IPv4 addresses and other specific IPv6 prefixes, bypassing the intended validation and enabling access to internal services via server-side requests.

Remediation

Users can update to Nuxt OG Image version 6.4.9, where this vulnerability has been fixed.