Security

A deep dive into a critical Server-Side Request Forgery (SSRF) vulnerability in Chatwoot's upload endpoint (≤ v4.12.1). The /api/v1/accounts/:id/upload endpoint accepts an external_url parameter validated only by a scheme check, allowing any authenticated agent to force the server to fetch arbitrary internal URLs. The full response body is returned in-band through ActiveStorage blobs — turning the upload endpoint into a full-read proxy. Live exploitation on a DigitalOcean droplet confirmed in-band exfiltration of cloud metadata including droplet ID, hostname, SSH public keys, and full metadata bundles. Fixed in v4.13.0.