CVE-2020-27664

The vulnerability resides in admin/src/containers/InputModalStepperProvider/index.js within Strapi versions prior to 3.2.5. The code exposes a /proxy?url= endpoint that proxies arbitrary URLs without proper validation or authorization checks [1][2]. This endpoint was originally intended to proxy file uploads from external URLs, but the fix removed the use of the insecure proxy, changing the request to directly access the file URL instead of routing through the proxy [2].

An attacker with network access to the Strapi admin panel can exploit this issue by crafting requests to the /proxy?url= endpoint, supplying any internal or external URL as the value of the url parameter. The Strapi backend will then fetch that URL and return its contents to the attacker, effectively creating an open proxy. The official release notes state the vulnerability is only exploitable by a user with admin panel access and the right permissions [3].

Successful exploitation allows an attacker to perform server-side request forgery (SSRF), potentially accessing internal services, cloud metadata endpoints, or other resources behind the firewall that would otherwise be inaccessible. The impact is limited to the privileges of the Strapi server process.

The vulnerability was patched in Strapi version 3.2.5, released on October 22, 2020. The fix removes the proxy functionality entirely [2][3]. Users should upgrade to version 3.2.5 or later to mitigate this issue.