Saloon is a PHP library designed to facilitate API integrations and SDK development by providing tools to build HTTP requests. In versions prior to 4.0.0, Saloon constructs request URLs by combining a connector's base URL with a specified request endpoint. However, if the endpoint is a valid absolute URL, the library uses it directly, ignoring the base URL. This behavior allows an attacker to supply an absolute URL as the endpoint, causing the server to send requests to arbitrary external hosts. Critically, these requests include authentication headers, cookies, or tokens attached by the connector, potentially exposing sensitive credentials to attacker-controlled servers. This Server-Side Request Forgery (SSRF) vulnerability (CWE-918) can be triggered if user input or configuration parameters (e.g., redirect_uri or callback URLs) influence the endpoint URL. The vulnerability also relates to CWE-522, indicating exposure of credentials. The fix introduced in Saloon 4.0.0 enforces validation by rejecting absolute URLs in endpoints unless explicitly permitted, throwing an InvalidArgumentException otherwise. This change requires developers to opt-in to absolute URL usage on a per-connector or per-request basis, effectively preventing unintended SSRF attacks and credential leakage. No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed with a CVSS 4.0 score of 6.6, reflecting a medium severity impact with network attack vector, no privileges or user interaction required, and high confidentiality impact.

The SSRF vulnerability in Saloon can have significant consequences for organizations that use this library in their PHP applications for API integrations. Attackers can exploit this flaw to make the server send crafted requests to internal or external systems, potentially bypassing network restrictions and accessing sensitive internal resources. The inclusion of authentication headers and tokens in these requests can lead to credential leakage, enabling attackers to impersonate the server or escalate attacks against other services. This can result in unauthorized data access, data exfiltration, or further compromise of internal systems. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and silently if user-controlled input influences the endpoint URL. The impact is particularly severe in environments where Saloon is used to interact with critical APIs or services containing sensitive data. Although no active exploits are known, the risk of exploitation increases as the vulnerability becomes publicly known. Organizations failing to upgrade or validate endpoint URLs may face data breaches, service disruptions, and reputational damage.

Organizations should immediately upgrade Saloon to version 4.0.0 or later, where the vulnerability is fixed by rejecting absolute URLs in request endpoints by default. If upgrading is not immediately possible, developers must audit all usage of Saloon in their codebases to identify any instances where user input or configuration parameters influence the request endpoint. They should implement strict input validation and sanitization to prevent attacker-controlled absolute URLs. Additionally, developers should avoid passing absolute URLs as endpoints unless explicitly required and opt-in to this functionality with caution. Network-level controls such as egress filtering and web application firewalls (WAFs) can help detect and block suspicious outbound requests to unexpected destinations. Monitoring logs for unusual outbound HTTP requests originating from servers using Saloon can provide early detection of exploitation attempts. Finally, review and rotate any credentials or tokens that may have been exposed if exploitation is suspected.