Security update: Meilisearch v1.34.1 fixes an SSRF vulnerability 

Summary

Meilisearch versions v1.8 to v1.34.0 are vulnerable to an authenticated, blind Server-Side Request Forgery (SSRF) attack, and we recommend that open-source users update immediately to Meilisearch v1.34.1 or later.

Customers of Meilisearch Cloud do not need to take any specific action, as the Cloud environment is protected against exploitation of this vulnerability. The vulnerability has not yet been assigned a CVE number; it has CVE Request 1975471 for CVE ID.

Technical details

In Meilisearch versions v1.8 to v1.34.0, a user with an API key with write permissions to the configuration of the Meilisearch instance could set up Meilisearch to send POST or GET requests to domains and IPs local to the private network of the Meilisearch instance, effectively bypassing the firewall.

Meilisearch v1.34.1 fixes the vulnerability by forbidding Meilisearch from making any requests to an host resolving to a non-global IP, in the sense of the IANA IPv4 Special-Purpose Address Registry or the IANA IPv6 Special-Purpose Address Registry. If you need this functionality in your Meilisearch instance, you can set private IP networks as allowed with the --experimental-allow-ip-networks parameter after reviewing the security implications.

We detected no signs of exploitation on Meilisearch Cloud. We recommend that any self-hosted Meilisearch instance apply defense in depth and least privilege principles and have the most limited possible access to the private network.

Acknowledgments

Thanks to Gabriel Rodrigues (aka Texugo), for reporting this vulnerability and for helping us improve the security of Meilisearch.