BigSweetPotatoStudio HyperChat has a Server-Side Request Forgery issue

Severity:: Medium

Description

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely.

Recommendation

No fix is available yet. Followings are affected versions:

<= 2.0.0-alpha.63

References

GHSA-r2jq-4h3x-rfj6
vuldb.com
CVE-2026-7223
CWE-918
CAPEC-310
OWASP 2021-A10
OWASP 2021-A6

Related Issues

Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads - CVE-2026-27567
pdfmake is vulnerable to server-side request forgery (SSRF) - CVE-2026-26801
React Router has CSRF issue in Action/Server Action Request Processing - CVE-2026-22030
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155

Exploiting Server Version Disclosure

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; @dadigua/hyperchat

Anything's wrong? Let us know Last updated on May 06, 2026