calcom cal.diy Logo API route.ts validateUrlForSSRF server-side request forgery
Description
A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An SSRF vulnerability in calcom cal.diy up to 4.9.4 allows authenticated attackers to read cloud metadata via HTTP redirect bypass of URL validation.
Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability exists in the Logo API endpoint of calcom cal.diy versions up to 4.9.4. The affected file is apps/web/app/api/logo/route.ts, specifically the validateUrlForSSRF function. While the function correctly blocks direct requests to private or loopback IP ranges, a Time-of-Check to Time-of-Use (TOCTOU) flaw occurs because the subsequent fetch() call (line 208) does not disable HTTP redirects (redirect: "manual"). An attacker can supply a public URL that returns a 302/301 redirect to an internal metadata endpoint (e.g., AWS 169.254.x.x), bypassing the initial validation [1].
Exploitation
An authenticated attacker with permissions to create or modify Organization or Team parameters can set an arbitrary logoUrl. The attacker provides a public IP address that hosts a redirect to a restricted internal resource, such as cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). The validateUrlForSSRF check passes because the initial URL is public, but the backend fetch() automatically follows the redirect, sending the request to the internal target and returning the response [1].
Impact
Successful exploitation allows the attacker to perform a full-read SSRF against internal cloud metadata services. This can lead to disclosure of sensitive information such as AWS instance credentials, IAM roles, and other configuration data, potentially enabling privilege escalation and lateral movement within the cloud environment [1].
Mitigation
No official fix has been released by the vendor, who did not respond to disclosure attempts. As a workaround, administrators should modify the fetch() call in apps/web/app/api/logo/route.ts to set redirect: "manual" and manually handle redirects, or implement a deny list for internal IP ranges after redirect resolution. Until a patch is available, restrict access to the Logo API to trusted users only [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Time-of-check time-of-use (TOCTOU) gap: `validateUrlForSSRF` validates the initial URL, but `fetch()` follows HTTP redirects to internal IPs without restriction."
Attack vector
An authenticated attacker with permissions to modify Organization or Team parameters sets a `logoUrl` pointing to a public HTTP endpoint (e.g., httpbin.org) that issues a 302 redirect to an internal address such as `http://127.0.0.1:4000/internal-admin-bypass` or a cloud metadata IP like `169.254.169.254` [ref_id=1]. The `validateUrlForSSRF` check passes because the initial URL resolves to a public IP, but the subsequent `fetch()` call follows the redirect chain into the internal network, exfiltrating restricted data back to the attacker [CWE-918][CWE-367].
Affected code
The vulnerability resides in `apps/web/app/api/logo/route.ts`. The function `validateUrlForSSRF` performs an initial DNS/CIDR check on the user-supplied `logoUrl`, but the subsequent `fetch()` call on line 208 does not set `redirect: "manual"` or `redirect: "error"`, allowing Node.js's default fetch behavior to follow HTTP redirects automatically [ref_id=1].
What the fix does
The advisory states no patch has been released; the vendor did not respond to the disclosure [ref_id=1]. To remediate, the `fetch()` call on line 208 of `apps/web/app/api/logo/route.ts` must include `redirect: "manual"` (or `redirect: "error"`) to prevent automatic following of HTTP redirects, closing the TOCTOU window between the SSRF validation and the actual request [CWE-367][ref_id=1].
Preconditions
- authAttacker must be authenticated with permissions to create or modify Organization/Team logoUrl parameters
- networkAttacker must have network access to a public HTTP endpoint that can issue a 302/301 redirect to an internal IP
- networkThe application's fetch() must be able to reach the target internal service (e.g., cloud metadata endpoint, loopback service)
Reproduction
1. Save the PoC script from the reference write-up as `poc_exploit_ssrf_bypass.py` [ref_id=1]. 2. Ensure a local PostgreSQL instance is running at `localhost:5450` with the Cal.com schema. 3. Run `python3 poc_exploit_ssrf_bypass.py`. 4. Observe the output `[EXPLOIT SUCCESS]` confirming the internal service at `127.0.0.1:4000` was reached via the HTTP redirect bypass [ref_id=1].
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- gist.github.com/YLChen-007/b3d0b85767b7e346a291933d602fbb3bmitreexploit
- vuldb.com/submit/812176mitrethird-party-advisory
- vuldb.com/vuln/365251mitrevdb-entrytechnical-description
- vuldb.com/vuln/365251/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.