Chatwoot Server-Side Request Forgery Vulnerability in Webhook API

A server-side request forgery (SSRF) vulnerability has been identified in Chatwoot versions prior to 4.11.2. The issue arises in the Webhook API, specifically within the Webhooks::Trigger function in the lib/webhooks/trigger.rb file. The vulnerability allows users with the appropriate roles to create webhooks that POST to user-defined URLs. While the Webhook model validates the URL format, it does not restrict URLs pointing to internal or private IP addresses. This lack of validation enables the Chatwoot server to be manipulated into sending requests to internal services, potentially leading to unauthorized access or data exposure.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal services and data. The Chatwoot server could be tricked into sending POST requests to internal APIs or metadata endpoints, including sensitive information such as conversation data and personal customer details. Additionally, access to cloud metadata endpoints could allow for the theft of IAM credentials, further escalating the impact.

Reproduction

To reproduce this vulnerability, authenticate as a user with permission to create webhooks. Then, create a webhook that points to an internal URL, such as an AWS metadata endpoint. Once the webhook is triggered, the Chatwoot server will send a POST request to the specified internal URL, demonstrating the SSRF vulnerability. Alternatively, the vulnerability can be reproduced by creating an automation rule that sends a webhook event to an internal service, such as a Redis instance or a PostgreSQL database.

Remediation

It is recommended to validate webhook URLs against private IP ranges before saving or executing them. Additionally, using an SSRF-safe HTTP client in the Webhooks::Trigger class can help mitigate the vulnerability. Applying the same protections to automation rule and macro webhook actions is also advised.