Cloudreve
cpe:2.3:a:cloudreve:cloudreve:*:*:*:*:*:*:*
- <= 4.16.0
A server-side request forgery (SSRF) vulnerability has been identified in Cloudreve's remote download feature, prior to version 4.16.1. This issue allows non-admin users with remote download permissions to access internal URLs via the server's downloader. The vulnerability arises because the application fails to validate user-supplied URLs before processing them, leaving internal services exposed. Exploitation can be achieved by redirecting to loopback addresses or by directly accessing internal-only URLs, with the response being imported into the user's Cloudreve files.
Exploitation of this vulnerability allows access to internal HTTP services, loopback-only admin panels, local service metadata, or other network resources not directly reachable by the user.
To reproduce this vulnerability, first ensure that the user is authenticated and belongs to a group with remote download permissions. Then, send a POST request to the '/api/v4/workflow/download' endpoint with a URL that points to an internal service or loopback address. After the download is processed, the imported response can be accessed through Cloudreve's file management APIs.
Users can update to Cloudreve version 4.16.1 or later, where this vulnerability has been fixed.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.