ItzCrazyKns Vane Model Provider API route.ts server-side request forgery
Description
A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vane up to 1.12.1 contains an unauthenticated SSRF in the Model Provider API (POST /api/providers) allowing arbitrary outbound HTTP requests and potential data exfiltration.
Vulnerability
The Model Provider registration endpoint (POST /api/providers) in ItzCrazyKns/Vane versions up to 1.12.1 allows unauthenticated users to supply an arbitrary baseURL parameter. Upon provider creation, the server immediately sends an HTTP request to ${baseURL}/api/tags (or similar provider-specific paths) without validating the target. This results in a Server-Side Request Forgery (SSRF) vulnerability (CWE-918). The vulnerable code resides in src/app/api/providers/route.ts. [1]
Exploitation
An attacker can send a crafted POST request to /api/providers with a malicious baseURL pointing to an internal IP address (e.g., http://127.0.0.1:8080), a cloud metadata endpoint (http://169.254.169.254/latest/meta-data/), or any external server. No authentication or user interaction is required. The server will then make an HTTP request to the specified target from its own network context. Additionally, if the target does not return a valid JSON response, the server reflects error messages containing fragments of the response body back to the attacker, turning a blind SSRF into a partially readable one. The exploit has been publicly published. [1]
Impact
Successful exploitation allows an attacker to probe internal services accessible from the server, read cloud instance metadata (potentially disclosing credentials and configuration), and exfiltrate data from internal endpoints through error messages. The CVSS v3.1 score is 9.1 (Critical) with a vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating high confidentiality and availability impact with no privileges required. [1]
Mitigation
As of the publication date (2026-05-24), there is no patch available. The project was notified via an issue report ([1]) but has not responded. Users should restrict network access to the /api/providers endpoint (e.g., via a reverse proxy ACL) until a fix is released. No workaround is provided by the vendor. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing URL validation on the attacker-controlled baseURL parameter combined with an unauthenticated API endpoint allows server-side requests to arbitrary internal or external destinations."
Attack vector
An unauthenticated attacker sends a POST request to `/api/providers` with a JSON body containing a `config.baseURL` pointing to an internal or cloud-metadata address (e.g., `http://127.0.0.1:3000` or `http://169.254.169.254`). The server immediately makes a server-side HTTP GET request to `${baseURL}/api/tags` (for Ollama-type providers) or an equivalent endpoint for other provider types. When the target does not return valid JSON, the error message—which includes a fragment of the response body—is reflected back to the attacker, turning a blind SSRF into a partially readable one [ref_id=1].
Affected code
The vulnerability resides in `src/app/api/providers/route.ts` (the unauthenticated POST handler) and the provider implementations that use the attacker-supplied `baseURL` without validation. The primary sink is in `src/lib/models/providers/ollama/index.ts` where `fetch(`${this.config.baseURL}/api/tags`)` is called. Similar patterns exist in the OpenAI, LM Studio, and Lemonade providers [ref_id=1].
What the fix does
No patch has been published; the project was informed via an issue report but has not responded [ref_id=1]. The advisory recommends three mitigations: (1) add authentication to the POST `/api/providers` endpoint, (2) validate `baseURL` in `parseAndValidate()` to restrict schemes to HTTP/HTTPS and block private/internal IP addresses, and (3) sanitize error messages so that raw response body fragments are not returned to the client [ref_id=1].
Preconditions
- authNo authentication required on the POST /api/providers endpoint
- networkAttacker must have network access to the Vane server
- inputAttacker supplies an arbitrary baseURL value in the JSON request body
Reproduction
1. Ensure Vane 1.12.1 is running on `http://localhost:3001` and another web service is running on `http://127.0.0.1:3000`. 2. Send the following curl command: ```bash curl -X POST http://localhost:3001/api/providers \ -H 'Content-Type: application/json' \ -d '{ "type": "ollama", "name": "ssrf-test", "config": { "baseURL": "http://127.0.0.1:3000" } }' ``` 3. Observe the response includes the internal service's response fragment in the `chatModels[0].name` field, confirming the SSRF [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/ItzCrazyKns/Vane/issues/1124mitreexploitissue-tracking
- vuldb.com/submit/813211mitrethird-party-advisory
- vuldb.com/vuln/365336mitrevdb-entrytechnical-description
- vuldb.com/vuln/365336/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.