The GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction.
The vulnerability exists in the interaction between four components:
1. Route registration — no authentication (internal/router/common.go:11):
appRouterGroup.PublicRouterGroup.GET("/website/title", h.CommonHandler.GetWebsiteTitle())
The PublicRouterGroup is created at internal/router/router.go:34 as r.Group("/api") with no auth middleware attached (unlike AuthRouterGroup which uses JWTAuthMiddleware).
2. Handler — no input validation (internal/handler/common/common.go:106-127):
func (commonHandler *CommonHandler) GetWebsiteTitle() gin.HandlerFunc {
return res.Execute(func(ctx *gin.Context) res.Response {
var dto commonModel.GetWebsiteTitleDto
if err := ctx.ShouldBindQuery(&dto); err != nil { ... }
title, err := commonHandler.commonService.GetWebsiteTitle(dto.WebSiteURL)
...
})
}
The DTO (internal/model/common/common_dto.go:155-156) only enforces binding:"required" — no URL scheme or host validation.
3. Service — TrimURL is cosmetic (internal/service/common/common.go:122-125):
func (s *CommonService) GetWebsiteTitle(websiteURL string) (string, error) {
websiteURL = httpUtil.TrimURL(websiteURL)
body, err := httpUtil.SendRequest(websiteURL, "GET", httpUtil.Header{}, 10*time.Second)
...
}
TrimURL (internal/util/http/http.go:16-26) only calls TrimSpace, TrimPrefix("/"), and TrimSuffix("/"). No SSRF protections.
4. HTTP client — unrestricted outbound request...
1.4.8-0.20260401031029-4ca56fea5ba4Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:LI:LA:N7.2/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N