CoreWorxLab CAAL Server-Side Request Forgery Vulnerability in Webhook Test Endpoints

A server-side request forgery (SSRF) vulnerability has been identified in CoreWorxLab CAAL versions through 1.6.0. The issue resides in the test-hass and test-n8n webhook endpoints, specifically within the src/caal/webhooks.py file. These endpoints accept user-controlled input to build request URLs and perform outbound HTTP requests without proper validation. This lack of destination policy controls could allow remote exploitation, enabling attackers to probe internal network services from the affected server.

Impact

Exploitation of this vulnerability could lead to unauthorized access of internal network resources, depending on the reachability of those services from the compromised server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/setup/test-n8n' endpoint with a JSON payload that includes a URL pointing to an internal service. The server will then attempt to access the specified URL, demonstrating the SSRF vulnerability by probing internal services.

Remediation

It is recommended to validate URL and host inputs on the setup test endpoints, implement strict policies to block unvalidated outbound requests, and introduce an allowlist for destination URLs. Additionally, security tests should be added to check for SSRF vulnerabilities involving localhost or private network addresses.