imgproxy is a fast and secure standalone server for resizing and converting remote images. The guiding principles behind imgproxy are security, speed, and simplicity.
Upon reviewing the code at https://github.com/imgproxy/imgproxy/blob/ee9e8f0cb101ec22318caffd552a23cc0548d5ce/imagedata/download.go#L142, it appears that there is no sanitization applied to the imageURL parameter. The only checks that are applied are for the http and https schemes, which unfortunately do not fully mitigate the impact of this SSRF vulnerability.
This means that an attacker can still pass loopback addresses as part of the imageURL parameter, which could allow them to exploit the vulnerability.
This vulnerability may lead to internal enumeration of internal hosts or ports, It's error based because the application returns two error messages:
- 500 Internal Server Error (Source image is unreachable): if the URL is unreachable, which means that the host or the port is unreachable or not open.
- 422 Unprocessable Entity (Invalid source image): if the URL is reachable and the port is open.