devlikeapro WAHA Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in devlikeapro WAHA versions through 2026.3.4. The issue arises in the media conversion API endpoint, where user-provided URLs are fetched server-side without proper validation. This vulnerability allows authenticated users with an API key to access internal services or metadata by manipulating the URL input.

Impact

Exploitation of this vulnerability allows authenticated users to perform server-side request forgery, potentially accessing internal HTTP services and metadata, with some risk of abusing large or slow remote resources.

Reproduction

To reproduce this vulnerability, send a POST request to the media conversion endpoint with a URL that the WAHA server can fetch. Include a valid API key in the request headers. The server will retrieve the content from the specified URL, demonstrating the SSRF vulnerability. This can be verified by observing the inbound request on a listener set up to receive the fetched content.

Remediation

It is recommended to disable URL-based media inputs when not needed, enforce strict destination allowlists for outbound URL fetches, and apply outbound egress policies at the network layer. Additionally, introducing a centralized SSRF-safe URL validator before fetching URLs and adding security regression tests for private IP, DNS rebinding, and redirect bypass patterns could help mitigate this vulnerability.