Cal.com Logo API Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Cal.com versions through 4.9.4. The issue arises in the Logo API component, specifically within the validateUrlForSSRF function in the file apps/web/app/api/logo/route.ts. This vulnerability allows remote attackers to bypass existing SSRF protections and access internal metadata services, particularly on AWS.

Impact

Exploitation of this vulnerability bypasses the application's SSRF validations, allowing attackers to access restricted internal services and metadata endpoints. This could lead to unauthorized data exfiltration or manipulation of internal resources.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to modify team settings can upload a malicious logo URL that points to a public server. This server should be configured to redirect requests back to an internal service that the application normally cannot access. Once the logo URL is set, the application will fetch the logo through the public server, inadvertently following the redirect and accessing the internal service.