Affected Tool or Page
Serverless Backend Proxy (functions/api/fetch.js)
Bug Description
The Cloudflare Pages serverless proxy function (functions/api/fetch.js) is used to bypass CORS restrictions by fetching pages on the server side. However, the endpoint has Access-Control-Allow-Origin: * and does not require authorization or enforce rate limits. Anyone on the internet can call it to query external websites.
Steps to Reproduce
- Send a request to the
/api/fetch endpoint of a deployed instance with any external target URL:
GET /api/fetch?url=https://icanhazip.com
- See that the function successfully proxies the request and returns the external content.
Expected Behavior
The endpoint should restrict requests to origins matching the hosted domain or require a verified token to prevent abuse as an open proxy relay.
Actual Behavior
The endpoint executes fetches for any client, allowing unrestricted open proxy usage.
Environment
Cloudflare Pages Functions runtime
Screenshots
No response
Pre-submission Checklist
Affected Tool or Page
Serverless Backend Proxy (
functions/api/fetch.js)Bug Description
The Cloudflare Pages serverless proxy function (
functions/api/fetch.js) is used to bypass CORS restrictions by fetching pages on the server side. However, the endpoint hasAccess-Control-Allow-Origin: *and does not require authorization or enforce rate limits. Anyone on the internet can call it to query external websites.Steps to Reproduce
/api/fetchendpoint of a deployed instance with any external target URL:GET /api/fetch?url=https://icanhazip.comExpected Behavior
The endpoint should restrict requests to origins matching the hosted domain or require a verified token to prevent abuse as an open proxy relay.
Actual Behavior
The endpoint executes fetches for any client, allowing unrestricted open proxy usage.
Environment
Cloudflare Pages Functions runtime
Screenshots
No response
Pre-submission Checklist