Nanobot Server-Side Request Forgery Vulnerability in Web Fetch Tool

A server-side request forgery (SSRF) vulnerability has been identified in Nanobot versions prior to 0.2.1. This vulnerability resides in the web_fetch tool, where remote attackers can access internal or private network hosts. Exploitation involves supplying a URL that redirects to a loopback or private address via a 3xx Location header. The vulnerability takes advantage of the httpx library's automatic HTTP redirect following behavior, allowing attackers to bypass initial URL validation. As a result, outbound requests are sent to internal hosts before the final resolved URL is validated.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal or private network resources, potentially leading to unauthorized access or information disclosure.

Reproduction

The vulnerability can be reproduced by using the web_fetch tool in Nanobot versions prior to 0.2.1. First, send a request with a URL that redirects to a loopback or private address. The web_fetch tool will follow the redirect, bypassing initial URL validation, and send a request to the internal host. This can be automated with a script that uses the httpx library to handle the redirects.

Remediation

Users can upgrade to Nanobot version 0.2.1 or later, where this vulnerability has been fixed.