Roadiz, Server-Side Request Forgery & Local File Inclusion, CVE-2024-XXXXX (Critical)

Listen to this Post

The vulnerability, identified as an SSRF and LFI, stems from the `DownloadedFile::fromUrl()` method in Roadiz. This method uses PHP’s native `fopen()` to fetch a resource from a user-supplied URL without any validation or sanitization of the URL scheme. Because PHP stream wrappers are enabled, an attacker can supply a `file://` scheme instead of an expected http://` orhttps://`. The application then treats this as a local file operation, reading the contents of a file from the server’s filesystem. The method is called during media import processes, such as fetching cover art from a Podcast RSS feed. An attacker with the `ROLE_ACCESS_DOCUMENTS` permission can host a malicious RSS feed containing a `file://` URI. When the CMS processes this feed, the `fopen()` call reads the targeted file, and the application subsequently copies it into the publicly accessible Media Library. The attacker can then download the file from the media manager, leading to the exposure of sensitive files like .env, configuration files, or system files.
Platform: Roadiz CMS
Version: Affected versions
Vulnerability : SSRF/LFI
Severity: Critical
date: 2026-03-24

Prediction: Patch already released

What Undercode Say:

Simulate the vulnerable fopen() call
php -r "var_dump(fopen('file:///etc/passwd', 'r'));"
Check for stream wrapper support
php -r "var_dump(stream_get_wrappers());"

Exploit:

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
<channel>
<itunes:image href="file:///app/.env" />
</channel>
</rss>

Authenticate, import podcast.xml from URL, download resulting media file.

Protection from this CVE

Validate URL scheme against an allowlist (e.g., only http, https). Disable dangerous PHP wrappers like file://. Implement strict input sanitization for all URLs passed to filesystem functions.

Impact:

Complete loss of confidentiality. Exposure of environment variables, database credentials, application secrets, and internal system files. Can lead to full application compromise and privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top