Medplum Server-Side Request Forgery Vulnerability in FHIR Subscription Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in Medplum versions prior to 5.1.14. This vulnerability allows authenticated users to make unauthorized internal network requests through the subscription worker. By creating FHIR Subscription resources with arbitrary endpoint URLs, attackers can direct these requests to internal services such as cloud metadata endpoints, internal databases, or container orchestration services. This could lead to the exfiltration of IAM credentials and patient health records, as the POST body would contain full FHIR resource payloads.

Impact

Exploitation of this vulnerability could result in unauthorized internal network requests, potentially leading to the exfiltration of sensitive data such as IAM credentials and patient health records.

Reproduction

To reproduce this vulnerability, create a FHIR Subscription resource and specify an endpoint URL that points to an internal service, such as a cloud instance metadata service or an internal database. Once the subscription is active, the server will send requests to the specified endpoint, including sensitive data in the POST body.

Remediation

Users can update to Medplum version 5.1.14 or later, where this vulnerability has been patched.