Unauthenticated SSRF in 3rd party module "cerdic/csstidy"

Vulnerability

Nextcloud Mail versions prior to 1.12.7 and 1.13.6 shipped with a third-party CSS minifier located at ./vendor/cerdic/css-tidy/css_optimiser.php. This script is accessible without authentication and accepts untrusted input, which can be abused to perform Server-Side Request Forgery (SSRF). The vulnerable code path is reachable by any unauthenticated HTTP request to the minifier endpoint.

Exploitation

An attacker with network access to the Nextcloud instance can send crafted HTTP requests to the CSS minifier script at ./vendor/cerdic/css-tidy/css_optimiser.php. By manipulating the input parameters, the attacker can force the server to make HTTP requests to arbitrary internal or external hosts, effectively performing SSRF. No authentication or user interaction is required.

Impact

Successful exploitation enables the attacker to probe and interact with internal services (e.g., databases, routers) that are normally protected behind the network perimeter. This can lead to information disclosure about the infrastructure, such as discovering running services or router details, and may serve as a stepping stone for further attacks.

Mitigation

The vulnerability is fixed in Nextcloud Mail 1.12.7 and 1.13.6 [1]. Users who cannot upgrade immediately should manually delete the file ./vendor/cerdic/css-tidy/css_optimiser.php as a workaround [1]. No evidence of active exploitation in the wild or inclusion in CISA KEV has been reported.