HBAI-Ltd Toonflow Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in HBAI-Ltd Toonflow-app versions through 1.1.1. The issue arises in the downloadApp endpoint, specifically within the z.url function of the file src/routes/setting/about/downloadApp.ts. This vulnerability allows for path traversal by manipulating the url argument, enabling an authenticated attacker to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for complete remote code execution on the server. The application's server-side JavaScript can be replaced with malicious code, which persists across application restarts. Additionally, the vulnerability allows access to internal networks and cloud metadata, and overwriting certain application data can destroy important files such as prompt templates and machine learning models.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the /api/setting/about/downloadApp endpoint. The request must include a URL pointing to a malicious ZIP file that contains a backdoored app.js file, which will be executed on the server after the ZIP file is processed. This can be done using a simple HTTP server to host the malicious ZIP file.

Remediation

Users are advised to update to version 1.1.2 or later, where this vulnerability has been addressed.