Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Server-side request forgery (SSRF) in BigSweetPotatoStudio HyperChat up to version 2.0.0-alpha.63 allows remote unauthenticated attackers to manipulate the baseurl argument in the AI Proxy Middleware component, enabling arbitrary HTTP requests from the affected server. The vulnerability has a publicly available exploit and CVSS 6.9 score reflecting confidentiality, integrity, and availability impact at the network level with low complexity. The vendor has not responded to early disclosure notification through the project's GitHub issue tracker.
Technical ContextAI
The vulnerability exists in the fetch function of packages/core/src/http/aiProxyMiddleware.mts, a Node.js/TypeScript middleware component responsible for proxying requests to AI services. The root cause is improper validation of the baseurl parameter (CWE-918: Server-Side Request Forgery), allowing attackers to specify arbitrary target URLs. The AI Proxy Middleware acts as an intermediary between client applications and external AI services; when baseurl is not properly sanitized, an attacker can redirect requests to internal services, private IP ranges, or other unintended targets that the server process can reach. This is a classic SSRF vulnerability where user-controlled input determines the destination of server-initiated HTTP requests without sufficient validation.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires upgrading to a version beyond 2.0.0-alpha.63 once the vendor releases a fix; monitor the GitHub repository's releases page for patched versions. As interim compensating controls: (1) Implement strict URL validation and allowlisting for the baseurl parameter-reject or validate against a whitelist of permitted AI service endpoints only, blocking requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/8, ::1), localhost, and metadata service IPs (169.254.169.254 for cloud environments); (2) Restrict outbound network access from the HyperChat application process using network-level controls (egress firewall rules, network policies) to only explicitly required external AI service domains; (3) Disable the AI Proxy Middleware if not actively in use, or isolate it to a network segment with minimal lateral movement capability. Each mitigation requires testing against legitimate AI service integrations to avoid breaking functionality.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25980