Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide, and Local Development & SSO to run the app locally (cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.

Description

Any worker endpoint that fetches a URL the client controls. The new /contribute/claim was designed defensively (no fetch of user URL) but other paths may not be.

Likely surfaces

  • Field Notes article import / OG-card preview generation
  • Wiki backlinks if it ever fetches arbitrary URLs
  • Search-service / search-mcp proxying queries to external sources
  • UXS Portal LLM tool-use that fetches URLs the model decides on
  • The bot's !save, !archive, !ol, !docs, !cop paths if they take URLs

What qualifies

  • Forcing the worker to hit 127.0.0.1, *.internal, IPv6 link-local, AWS metadata IPs
  • Forcing a fetch through a redirect chain that lands on internal infra
  • Workers can't reach RFC1918 ranges by default but cloudflared tunnels expose internal services that workers CAN reach

--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

No points have been awarded for this bounty yet.

Comments

No comments yet. Be the first to weigh in.

↑ Top