## Security Alert: SSRF Vulnerability in fetch-chart API Exposes Internal Infrastructure
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified within the `fetch-chart` API route of a Next.js application. The flaw allows an attacker to force the server to make arbitrary HTTP requests to internal infrastructure, including sensitive metadata endpoints like `http://169.254.169.254/latest/meta-data/`. This bypasses network security controls and poses a direct threat to cloud environments and internal services.

The vulnerability resides in the `app/api/fetch-chart/route.ts` file. When a user-supplied `body.url` does not contain `artifacthub.io`, the code passes the URL directly to the `downloadTgz()` function without any validation. This lack of allowlisting or protocol restriction means any URL, including those targeting internal IP addresses or metadata services, can be submitted. A parallel risk exists in `lib/artifactHub.ts`, where the hostname for OCI registry requests is also taken directly from user input, enabling unauthenticated requests to arbitrary hosts.

This SSRF flaw, categorized under OWASP Top 10 A10, creates a significant security exposure. It could be exploited to probe internal networks, access cloud instance metadata containing credentials, or interact with internal APIs. The required fix is clear: implement strict validation to ensure `body.url` uses HTTPS and belongs to a predefined allowlist of trusted registries or matches a strict `artifacthub.io` pattern before any download is attempted. Blocking all non-allowlisted URLs is essential to mitigate this server-side attack vector.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: SSRF, API Security, Next.js, Vulnerability, Cloud Security
- **Credibility**: unverified
- **Published**: 2026-04-08 11:27:19
- **ID**: 54896
- **URL**: https://whisperx.ai/en/intel/54896