PrefectHQ Prefect Webhook Component Time-of-Check Time-of-Use Vulnerability Allowing Server-Side Request Forgery

A time-of-check time-of-use vulnerability has been identified in the PrefectHQ Prefect workflow orchestration tool, specifically in versions through 3.6.28.dev1. The issue resides in the Webhook component's URL validation function, 'validate_restricted_url'. This vulnerability allows for server-side request forgery (SSRF) by manipulating DNS resolutions, enabling unauthorized internal HTTP requests to services such as cloud metadata or Kubernetes APIs. The vulnerability is present in all 3.x releases up to and including 3.6.26, with the latest stable version being 3.6.26. The flaw can be exploited remotely and is considered to have high complexity, making exploitation difficult.

Impact

Exploitation of this vulnerability creates a server-side request forgery condition, where internal services can be accessed and potentially manipulated.

Reproduction

The vulnerability can be reproduced by setting up a Prefect Webhook notification block with 'allow_private_urls' set to false. After that, the 'validate_restricted_url' function can be called with a URL that has been crafted to bypass the validation by exploiting the DNS rebinding vulnerability. This can be done by using a hostname that the attacker controls, which resolves to a public IP address during the validation phase but switches to a private IP when the actual request is made.

Remediation

Users are advised to upgrade to Prefect version 3.6.28.dev2, which addresses this vulnerability by enhancing the URL validation process and introducing a new HTTP transport that protects against DNS rebinding attacks.