HBAI-Ltd Toonflow Server-Side Request Forgery Vulnerability in getCodeByLink Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in HBAI-Ltd Toonflow-app versions through 1.1.1. The issue resides in the getCodeByLink endpoint, specifically within the fetch function of the file src/routes/setting/vendorConfig/getCodeByLink.ts. This vulnerability allows remote attackers to manipulate the link parameter, leading to unauthorized internal requests and potential exposure of sensitive data.

Impact

Exploitation of this vulnerability allows attackers to access internal services, read cloud instance metadata to obtain IAM credentials, and exfiltrate the administrator's plaintext password by chaining the SSRF with an internal API.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/setting/vendorConfig/getCodeByLink endpoint with a loopback URL targeting an internal API. The request must include a valid JWT token in the Authorization header. The server will fetch the specified URL and return the full response, demonstrating the SSRF vulnerability. This exploitation can be automated with a script that includes the necessary authentication and targets internal services or metadata endpoints.

Remediation

The vulnerability can be addressed by implementing proper validation on the link parameter to restrict protocols, block private IP ranges, and ensure only HTTPS URLs are accepted. Additionally, sensitive internal APIs should be modified to exclude plaintext passwords from responses.