CVE-2024-52588
Strapi allows Server-Side Request Forgery in Webhook function
Description
## Description In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`. ## Payloads - `http://127.0.0.1:80` -> `The Port is not open` - `http://127.0.0.1:1337` -> `The Port which Strapi is running on` ## Steps to Reproduce - First of all, let's input the URL `http://127.0.0.1:80` into the `URL` field, and click "Save".  - Next, use the "Trigger" function and use Burp Suite to capture the request / response  - The server return `request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80`, BECAUSE the `Port 80` is not open, since we are running Strapi on `Port 1337`, let's change the URL we input above into `http://127.0.0.1:1337`  - Continue to click the "Trigger" function, use Burp to capture the request / response  - The server returns `Method Not Allowed`, which means that there actually is a `Port 1337` running the machine. ## PoC Here is the Poc Video, please check: https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing ## Impact - If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.
How to fix CVE-2024-52588
To remediate CVE-2024-52588, upgrade the affected package to a fixed version below.
- —upgrade to 4.25.2 or later
Is CVE-2024-52588 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.