ItzCrazyKns Vane Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in ItzCrazyKns Vane versions through 1.12.1. The issue arises in the Model Provider API, specifically within the 'src/app/api/providers/route.ts' file. The vulnerability allows remote exploitation by manipulating the 'baseURL' argument, enabling the server to make unauthorized HTTP requests to internal or external destinations. This flaw was reported to the project, but no response has been received yet.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the server is tricked into making HTTP requests to arbitrary locations. This could include internal network services, localhost services, cloud instance metadata endpoints, or any external URL controlled by the attacker. Additionally, the vulnerability leaks fragments of the target's HTTP response body back to the attacker, potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/providers' endpoint with an arbitrary 'baseURL' that points to an internal service or metadata endpoint. The server will make a request to the specified URL and, if the response is not valid JSON, leak the response body fragment back to the client, confirming the SSRF exploitation.

Remediation

To address this vulnerability, it is recommended to add authentication to the '/api/providers' endpoint, implement URL validation to restrict accepted URLs and block private/internal IP addresses, sanitize error messages to prevent information leakage, and consider network-level isolation to prevent access to sensitive internal services or metadata endpoints.