GHSA-pj8j-p4g4-4vw8
Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs
Details
### Summary
Kimai 2.56.0 contains a server-side request forgery vulnerability in its invoice PDF preview and generation workflow. If an attacker can control Markdown content that is later rendered into an invoice PDF, such as `Customer.invoiceText`, the server-side PDF renderer will fetch remote image URLs embedded in Markdown image syntax.
This allows the application server to issue outbound requests to attacker-controlled or internal targets during PDF rendering. The behavior can be used for internal network probing, server-side reachability checks, and potentially follow-on exploitation depending on deployment environment and accessible internal services.
### Details
The vulnerable behavior occurs in the invoice rendering chain when user-controlled Markdown is transformed into HTML and then rendered by mPDF.
- First, customer invoice text is copied into the invoice model. . Second, the default PDF invoice template renders that field through the Markdown-to-HTML filter. - Third, `md2html` enables full Markdown rendering. - Although safe mode is enabled, the tested Markdown image syntax still survives into the rendered HTML chain in a form that causes the PDF renderer to fetch the image resource. - Finally, the HTML is handed to mPDF.
The live test confirms that mPDF attempts to retrieve the remote image URL from the server side during PDF preview. This means the issue is not a template-injection problem but an SSRF condition caused by the rendering pipeline:
- attacker-controlled Markdown - Markdown converted to HTML - HTML rendered by mPDF - mPDF fetches remote image resources from the server side
*A PoC was provided, but removed for security reasons.*
### Impact
This vulnerability allows an attacker who can influence invoice-rendered Markdown fields to cause the Kimai server to make outbound requests to arbitrary destinations. In real deployments, this can be used to probe internal services, test access to internal administrative or metadata endpoints, and confirm server-side reachability to attacker-controlled infrastructure.
Depending on the environment, SSRF can also become a stepping stone toward more serious outcomes, such as triggering side effects on internal HTTP services or extracting sensitive information from services reachable only by the server. Because invoice generation is commonly performed by administrative or finance-related users, the feature is realistically reachable in business workflows.
# Solution
- Kimai does not allow to use markdown images any longer and converts them to HTML links instead - Kimai uses a specialized HttpClient for mPDF (called `NoPrivateNetworkHttpClient`), which prevents access to a variety of URLs, the full list can be fetched [from the documentation](https://www.kimai.org/documentation/pdf-templates.html#embedding-images) - This change can be a BC break, if someone used - the Kimai domain for hosting invoice or export template images - an internal IP for hosting invoice or export template images
See https://www.kimai.org/en/security/ghsa-pj8j-p4g4-4vw8
Are you affected?
Enter the version of the package you're using.