parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the POST /api/proxy REST API. Attackers can exploit this vulnerability to abuse the victim servers credentials to access unauthorized web resources by specifying the JSON parameter {url:http://steal.target}. Existing security mechanisms such as forbid_remote_access(lollmsElfServer), lollmsElfServer.config.headless_server_mode, and check_access(lollmsElfServer, request.client_id) do not protect against this vulnerability.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.