## [CRITICAL] Webhook Handler SSRF Vulnerability: Unvalidated URLs Allow Internal Network Access
A critical Server-Side Request Forgery (SSRF) vulnerability exists in the webhook creation handler, allowing attackers to force the server to make HTTP requests to internal network addresses. The flaw is located in `internal/handlers/webhook.go` at lines 65-69, where the handler fails to validate the scheme or destination of submitted webhook URLs. This enables the creation of webhooks pointing directly to internal IPs like `http://169.254.169.254/` or `http://localhost:6379/`, effectively turning the application server into a proxy for internal network scanning.

The vulnerability's impact is severe, granting potential access to sensitive internal infrastructure. Attackers could probe for and interact with internal services such as databases (e.g., Redis) and cloud metadata endpoints. Access to endpoints like AWS's `169.254.169.254` could lead to the exposure of cloud instance credentials for AWS, GCP, or Azure, creating a pathway for full environment compromise. The server executes these requests when the corresponding webhook events are triggered, acting on behalf of the attacker.

This flaw represents a fundamental security failure in input validation for a critical integration feature. The expected behavior requires strict validation: restricting URLs to the `https://` scheme (or a tightly controlled `http://` allowlist) and blocking all private IP ranges (10.x, 172.16-31.x, 192.168.x), link-local addresses (169.254.x), localhost variants, and known cloud metadata endpoints. Without these controls, the application exposes the entire internal network perimeter to any user with webhook creation privileges.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: SSRF, Webhook, Security Vulnerability, Cloud Security, Code Vulnerability
- **Credibility**: unverified
- **Published**: 2026-03-27 23:27:16
- **ID**: 38514
- **URL**: https://whisperx.ai/en/intel/38514