Spatie Laravel Media Library Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Spatie Laravel Media Library versions prior to 11.23.0. This vulnerability allows remote attackers to manipulate the server into making arbitrary outbound HTTP requests. The issue arises from the addMediaFromUrl() method in InteractsWithMedia.php, which accepts user-controlled URLs without proper validation, exposing the application to potential attacks on internal resources or cloud metadata endpoints.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server perform HTTP requests on their behalf. This could be used to access internal services, RFC 1918 addresses, loopback addresses, or cloud metadata, depending on the server's environment.

Reproduction

To reproduce this vulnerability, upload a file using the addMediaFromUrl() method with a URL that the server can reach. The URL can point to an internal resource or a cloud metadata endpoint, such as the one used by AWS.

Remediation

Users can update to Spatie Laravel Media Library version 11.23.0 or later, where this vulnerability has been addressed.