CVE-2024-52588

Description

## Description In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`. ## Payloads - `http://127.0.0.1:80` -> `The Port is not open` - `http://127.0.0.1:1337` -> `The Port which Strapi is running on` ## Steps to Reproduce - First of all, let's input the URL `http://127.0.0.1:80` into the `URL` field, and click "Save".  - Next, use the "Trigger" function and use Burp Suite to capture the request / response  - The server return `request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80`, BECAUSE the `Port 80` is not open, since we are running Strapi on `Port 1337`, let's change the URL we input above into `http://127.0.0.1:1337`  - Continue to click the "Trigger" function, use Burp to capture the request / response  - The server returns `Method Not Allowed`, which means that there actually is a `Port 1337` running the machine. ## PoC Here is the Poc Video, please check: https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing ## Impact - If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.

Affected packages (1)

• npm/@strapi/adminfrom 0, < 4.25.2

CVSS scores

References (3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-52588
• PATCHhttps://github.com/strapi/strapi
• WEBhttps://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf