huimeicloud hmEditor Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability exists in huimeicloud's hmEditor version 2.2.3 and prior. The issue arises in the image-to-base64 endpoint within the src/mcp-server.js file, where the client.get function improperly validates user-supplied URLs. This flaw allows remote attackers to manipulate the URL parameter and make arbitrary HTTP requests from the server, potentially accessing internal resources or sensitive metadata endpoints. The vulnerability is present because the application trusts user input for outbound requests without adequate validation or restrictions, particularly against loopback addresses or private network ranges.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal network resources, sensitive metadata endpoints, or other internal systems not intended for exposure.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /image-to-base64 endpoint with a manipulated URL parameter. This request can be made using tools like curl or Postman.

Remediation

It is recommended to implement a strict URL allowlist, reject loopback and private network destinations after DNS resolution, and disable arbitrary user-supplied fetch and browser-navigation targets where not needed. Adding authentication, authorization, audit logging, and rate limiting around sensitive HTTP handlers can also help mitigate the risk.