Router-for-me CLIProxyAPI Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Router-for-me CLIProxyAPI version 6.9.29. The issue arises in the API Interface component, specifically within the file 'internal/api/handlers/management/api_tools.go'. The vulnerability allows remote exploitation by manipulating the 'url' argument, bypassing verification checks that should prevent access to internal resources or services.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests on its behalf. This could be used to access internal services, potentially leading to further exploitation or information disclosure.

Reproduction

To reproduce this vulnerability, send a POST request to '/v0/management/api-call' with an 'Authorization' header containing a valid bearer token. The request must include a JSON payload specifying the 'method' and 'url' parameters. The 'url' parameter can be set to an external address, such as 'http://www.baidu.com'. The server will then process this request, demonstrating the SSRF vulnerability by allowing access to the specified external resource.