PT-2026-42653 · Pypi · Flaskbb

Publicado

2026-05-21

·

Atualizado

2026-05-21

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
###Summary A Server-Side Request Forgery (SSRF) vulnerability in get image info() allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services (e.g., AWS 169.254.169.254). This is a blind SSRF with confirmed internal port scanning and internal API triggering capabilities. CVSS 6.5 Medium.
###Details In flaskbb/utils/helpers.py (line 571), the url parameter is passed directly to requests.get(url, stream=True) without any validation of scheme, host, or IP address.
python# flaskbb/utils/helpers.py:571
def get image info(url: str):
  r = requests.get(url, timeout=(3.05, 27), stream=True)
Attack chain:
POST /user/settings/user-details (avatar URL)
→ ValidateAvatarURL.validate()  # validators.py:103
→ check image(avatar)       # helpers.py:628
→ get image info(url)       # helpers.py:571
→ requests.get(url)        # No domain/IP restriction
Entry points:

/user/settings/user-details (any authenticated user)
/admin/users/<id>/edit (admin only)
###PoC submit.zip
Log in to FlaskBB as any user Navigate to Settings → User Details Enter http://169.254.169.254/latest/meta-data/ as the avatar URL Submit the form The server sends a GET request to the internal metadata endpoint
Three exploitation channels confirmed:
Server-side request: Captured on mock metadata server Internal port scan: check image() returns distinct errors (CONN REFUSED, NO CONTENT LENGTH, TYPE NOT ALLOWED, SUCCESS) that map internal network topology Internal API triggering: Mock APIs on 127.0.0.1:9200 triggered via SSRF (deploy, shutdown, key dump endpoints)
###Impact Any authenticated user is impacted. Attackers can force the server to request internal services, cloud metadata endpoints, or private network resources. On cloud deployments (AWS/GCP/Azure), IAM credentials can be leaked. In production, any GET-triggered internal service is reachable: CI/CD webhooks, Elasticsearch, etcd, Consul, etc.

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-918

Identificadores relacionados

GHSA-XQ32-9G7Q-7297

Produtos afetados

Flaskbb