Karakeep Server-Side Request Forgery Protection Bypass Vulnerability

A Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in Karakeep versions prior to 0.32.0. This vulnerability affects components that process HTTP redirects. Although the application has safeguards to prevent requests to internal or private network destinations, these can be circumvented by manipulating HTTP redirect chains. An authenticated user could exploit this flaw to direct application components to make requests to internal Docker network services accessible from the application environment. The vulnerability impacts various processing paths, including crawler-related functions and video download workflows.

Impact

Exploitation of this vulnerability could allow an authenticated user to send requests to internal services within the application's Docker network, potentially accessing internal APIs, search infrastructure, development services, debugging interfaces, or other private HTTP endpoints.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/bookmarks' endpoint with an authorization token. Include a URL that redirects to an internal Docker service, such as MeiliSearch. The application will follow the redirect and access the internal service, demonstrating the SSRF protection bypass.

Remediation

Users should update to Karakeep version 0.32.0 or later, where this vulnerability has been patched.