SSRF in Rendertron

Vulnerability

Rendertron versions prior to 3.0.0 are susceptible to a Server-Side Request Forgery (SSRF) attack [1]. The root cause is that the headless Chrome process used for rendering web pages does not sufficiently restrict the URLs it will fetch, allowing it to be directed to internal services [1].

Exploitation

An attacker can craft a malicious webpage that, when processed by Rendertron, forces the headless Chrome to request and render internal websites that the Rendertron server has access to [1]. No authentication is mentioned as required; the attack relies on the Rendertron service being reachable and processing attacker-controlled content [1]. The attacker can then view a screenshot of the internal resource as if it were a normal rendering [1].

Impact

Successful exploitation allows the attacker to view internal web resources that should not be accessible from the outside, such as admin panels, internal APIs, or other sensitive services [1]. This can lead to information disclosure and further network reconnaissance.

Mitigation

The vulnerability is fixed in version 3.0.0 of Rendertron [2]. The official vendor fix is included in that release [2]. For users who cannot upgrade immediately, the recommended workaround is to secure the infrastructure to limit the headless Chrome process's access to internal domains, for example using network segmentation or firewall rules [1].