Medplum is affected by a high-severity SSRF vulnerability that allows authenticated attackers to exfiltrate sensitive data from internal infrastructure.

This SSRF vulnerability in the subscription worker allows an authenticated user to create FHIR Subscription resources with arbitrary endpoint URLs. This flaw allows the application to be coerced into making unauthorized network requests to internal services.

With a CVSS score of 8.5, the vulnerability poses a significant risk of data exfiltration. Attackers can leverage this flaw to access internal resources, potentially stealing sensitive patient health information (PHI) or internal IAM credentials, leading to broader network compromise.

Immediate Action: Update the Medplum instance to version 5.1.14 or later to remediate the SSRF vulnerability.

Proactive Monitoring: Review audit logs for the creation of new FHIR Subscription resources, particularly those pointing to internal IP addresses or sensitive endpoints.

Compensating Controls: Restrict outbound network access from the subscription worker service to only necessary, trusted external endpoints using egress filtering.

Public Exploit Available: false

Given the sensitivity of the data handled by Medplum, this vulnerability must be addressed urgently. Organizations should apply the update to version 5.1.14 and conduct a review of existing subscription resources to ensure no unauthorized endpoints have been configured.