[Bug]: Server-Side Request Forgery Vulnerability in AI Proxy Middleware of HyperChat

### Platform

macOS

### Version

2.0.0-alpha.63

### Bug Description

# Server-Side Request Forgery Vulnerability in AI Proxy Middleware of HyperChat

## 1) CNA / Submission Type
- Submission type: Report a vulnerability (CVE ID request)
- Reporter role: Independent security researcher
- Report date: Apr 11, 2026

## 2) Reporter Contact
- Reporter name: `BruceJin`
- Reporter email: `brucejin@zju.edu.cn`
- Permission to share contact with vendor: `Yes`

## 3) Vendor / Product Identification
- Vendor: BigSweetPotatoStudio
- Product: HyperChat
- Repository: https://github.com/BigSweetPotatoStudio/HyperChat
- Affected component(s):
- `packages/core/src/http/aiProxyMiddleware.mts`
- `packages/core/src/http.mts`

## 4) Vulnerability Type
- CWE: CWE-918 (Server-Side Request Forgery)
- Short title: SSRF in AI proxy request handling

## 5) Affected Versions
- Confirmed affected: 2.0.0-alpha.63
- Suspected affected range: versions containing the same `baseurl` header to `fetch()` request flow listed below
- Fixed version: Not available at time of report

## 6) Vulnerability Description
A server-side request forgery (SSRF) vulnerability (CWE-918) has been identified in the AI proxy middleware of HyperChat, specifically within packages/core/src/http/aiProxyMiddleware.mts. The HTTP middleware accepts an attacker-controlled baseurl request header, appends the remaining request path, and forwards the request using fetch() without validation or allowlisting. An attacker with network access to the HyperChat HTTP service can coerce the server into making arbitrary outbound HTTP requests to attacker‑controlled or internal destinations. Version 2.0.0-alpha.63 is confirmed affected, and no fixed version is available at the time of reporting.
## 7) Technical Root Cause
1. `js/request-forgery-from-request`
   - Source: `packages/core/src/http/aiProxyMiddleware.mts:88` (`req.headers["baseurl"]`)
   - Sink: `packages/core/src/http/aiProxyMiddleware.mts:112`
   - Sink code: `const response = await fetch(normalizedURL, {`
2. Request path propagation
   - Source: `packages/core/src/http/aiProxyMiddleware.mts:104`
   - Sink: `packages/core/src/http/aiProxyMiddleware.mts:112`
   - Sink code: `const normalizedURL = baseURL.replace(/\/$/, '') + req.url.replace(urlPrefix + "/ai", "");`
3. Route exposure
   - Middleware activation: `packages/core/src/http/aiProxyMiddleware.mts:151`
   - Middleware registration: `packages/core/src/http.mts:147`

## 8) Attack Prerequisites
- The attacker can reach the HyperChat HTTP service.
- The attacker can send requests to the `/\<password\>/ai/...` route prefix used by the proxy middleware.
- No effective runtime policy constrains the attacker-controlled `baseurl` header before `fetch()` is invoked.

## 9) Proof of Concept / Reproduction Guidance
This proof of concept provides a concise, CVE-style reproduction example for the reported issue.

1. Reproduction request
```json
{"model":"test","messages":[{"role":"user","content":"hello"}]}
```
2. Validation
- Start the affected service from `packages/core`:
```bash
npm install
npm run start
```
- By default, the application uses:
  - `HyperChat_HTTP_PORT=16100`
  - `HyperChat_Web_Password=123456`
- Start an attacker-controlled local HTTP listener on `127.0.0.1:8765` that accepts `POST` requests and logs the received path and body.
- Send the following request to the vulnerable service:
```bash
curl -i "http://127.0.0.1:16100/123456/ai/v1/chat/completions" \
  -H 'Content-Type: application/json' \
  -H 'baseurl: http://127.0.0.1:8765' \
  --data '{"model":"test","messages":[{"role":"user","content":"hello"}]}'
```
- Confirm that the attacker-controlled listener receives a `POST` request to `/v1/chat/completions` with the supplied JSON body. This demonstrates that the attacker-controlled `baseurl` header reaches the outbound `fetch()` sink and causes a server-side request to an arbitrary destination.

## 10) Security Impact
- Confidentiality: High (the server can be coerced into accessing attacker-controlled or internal HTTP endpoints).
- Integrity: Low (the attacker can control the destination and payload of outbound proxy requests).
- Availability: Low (repeated requests can induce unwanted outbound network activity).
- Scope: Changed.

## 11) CVSS v3.1 Suggestion
- Suggested vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L`
- Suggested base score: 9.3 (Critical)
- Adjust downward if the HTTP service is guaranteed to remain inaccessible from untrusted users in supported deployments.

## 12) Workarounds / Mitigations
- Do not expose the HyperChat HTTP service to untrusted networks.
- Change the default web password and avoid relying on path secrecy as an access control mechanism.
- Remove or strictly constrain the `baseurl` proxy feature.
- Enforce destination allowlists and block loopback, link-local, RFC1918, and other sensitive targets after resolution.

## 13) Recommended Fix
- Eliminate the direct `baseurl` header to `fetch()` flow documented above.
- Add authentication and authorization checks before permitting proxy requests.
- Replace attacker-controlled destination selection with a strict allowlist of approved upstream AI endpoints.
- Add regression tests proving arbitrary user-supplied destinations cannot trigger outbound requests.

## 14) References
- Repository: https://github.com/BigSweetPotatoStudio/HyperChat
- Reviewed source files:
  - `packages/core/src/http/aiProxyMiddleware.mts`
  - `packages/core/src/http.mts`
  - `packages/shared/src/zodSchemas/envSchema.mts`
- Package version reference: `packages/core/package.json`
- CWE-918: https://cwe.mitre.org/data/definitions/918.html

## 15) Credits
- Discoverer: `BruceJin`
- Discovery method: Static analysis (CodeQL) plus repository source-code audit and local reproduction

## 16) Additional Notes for Form Mapping
- Audit verdict: Confirmed exploitable: attacker-controlled `baseurl` input reaches the outbound `fetch()` sink in the HTTP proxy middleware.
- Dynamic exploit replay status: completed locally with `curl` and an attacker-controlled HTTP listener.
- The two SARIF results correspond to the same underlying SSRF flow in `handleProxyRequest()`, not two distinct vulnerabilities.


### Additional Information

For furthermore information, please refer to https://github.com/BruceJqs/public_exp/issues/11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: Server-Side Request Forgery Vulnerability in AI Proxy Middleware of HyperChat #142

Platform

Version

Bug Description

Server-Side Request Forgery Vulnerability in AI Proxy Middleware of HyperChat

1) CNA / Submission Type

2) Reporter Contact

3) Vendor / Product Identification

4) Vulnerability Type

5) Affected Versions

6) Vulnerability Description

7) Technical Root Cause

8) Attack Prerequisites

9) Proof of Concept / Reproduction Guidance

10) Security Impact

11) CVSS v3.1 Suggestion

12) Workarounds / Mitigations

13) Recommended Fix

14) References

15) Credits

16) Additional Notes for Form Mapping

Additional Information

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug]: Server-Side Request Forgery Vulnerability in AI Proxy Middleware of HyperChat #142

Description

Platform

Version

Bug Description

Server-Side Request Forgery Vulnerability in AI Proxy Middleware of HyperChat

1) CNA / Submission Type

2) Reporter Contact

3) Vendor / Product Identification

4) Vulnerability Type

5) Affected Versions

6) Vulnerability Description

7) Technical Root Cause

8) Attack Prerequisites

9) Proof of Concept / Reproduction Guidance

10) Security Impact

11) CVSS v3.1 Suggestion

12) Workarounds / Mitigations

13) Recommended Fix

14) References

15) Credits

16) Additional Notes for Form Mapping

Additional Information

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions