A critical vulnerability has been identified in Fermyon Spin applications, particularly those configured to use self requests without a specified URL authority. If an application’s manifest includes certain configurations and code, it can be manipulated to send requests to arbitrary hosts via the Host HTTP header. This could potentially lead the application to incorrectly process responses, assuming they originate from another component within the same application. Such vulnerability is exploitable under specific conditions: when the environment routes requests based on the URL instead of the Host header, and the component handling the incoming request includes “self” in the allowed_outbound_hosts list without explicitly including the hostname/port in outbound requests.
Several setups, including Fermyon’s own Fermyon Cloud serverless product and applications hosted on it, are confirmed not to be vulnerable. However, for other environments, it is crucial to implement the necessary patches and workarounds. The issue has been addressed in Spin version 2.4.3, and users are strongly urged to upgrade to this version to ensure their systems are protected.
Workarounds for those unable to immediately upgrade include sanitizing the Host header to match the routed application and ensuring outgoing requests always provide the hostname in the URL. Additionally, for Spin 2.4 users, employing application-internal service chaining for intra-application requests can help mitigate the risk. Ensuring these precautions can prevent unauthorized redirections and potential security breaches.
Addressing this vulnerability promptly is crucial for maintaining the security and integrity of affected Spin applications. Users must stay vigilant and implement the recommended patches and workarounds to safeguard their systems against potential exploitation.
Reference:
