A critical Server-Side Request Forgery (SSRF) vulnerability in Ghostfolio allows attackers to exfiltrate sensitive cloud metadata and internal network data through the asset import feature.

The manual asset import feature fails to properly validate user-supplied URLs, leading to a full-read SSRF. An attacker can exploit this to force the server to make requests to internal resources, such as the Instance Metadata Service (IMDS) in cloud environments, to steal sensitive credentials.

With a CVSS score of 9.3, this vulnerability poses a severe risk to data confidentiality and infrastructure security. If Ghostfolio is hosted in a cloud environment (AWS, Azure, GCP), an attacker could potentially gain full access to the underlying cloud account, leading to catastrophic data breaches and unauthorized resource usage.

Immediate Action: Update Ghostfolio to version 2.245.0 or later immediately to resolve the SSRF flaw in the asset import component.

Proactive Monitoring: Review application and network logs for outbound requests originating from the Ghostfolio server directed at internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or the metadata address 169.254.169.254.

Compensating Controls: Restrict the Ghostfolio server's egress traffic using firewall rules or security groups to prevent it from reaching sensitive internal services or cloud metadata endpoints.

Public Exploit Available: false

It is imperative that Ghostfolio users update their installations to version 2.245.0 immediately. Organizations should also adopt the principle of least privilege for the service accounts running the application to limit the potential impact of an SSRF-based credential theft.