Eddie Ran

**Name of the Vulnerable Software and Affected Versions** Dozzle versions prior to 10.5.2 **Description** In default deployments where no `DOZZLE AUTH PROVIDER` is set, the endpoint 'POST /api/notifications/test-webhook' is accessible without authentication. This allows an unauthenticated attacker to perform a full-reflection Server-Side Request Forgery (SSRF), which is a flaw where a server is tricked into making requests to internal or external resources. The attacker can provide a controlled URL and request headers via the `URL` and `Headers` variables, which are then processed by the `WebhookDispatcher` and the `testWebhook()` function. If the target server responds with a non-2xx status code, the system returns the response status code and up to 1MB of the response body to the caller. This can be exploited to probe internal networks, access private subnets, reach loopback services, or retrieve sensitive information from cloud metadata services (IMDS). Additionally, the ability to control request headers allows for header injection against downstream internal services. **Recommendations** Update to version 10.5.2 or later. As a temporary workaround, configure the `DOZZLE AUTH PROVIDER` variable to enable authentication and restrict access to the 'POST /api/notifications/test-webhook' endpoint.