Skip to content

Bug: Serverless proxy function endpoint functions as an unrestricted open proxy #355

Description

@devprashant19

Affected Tool or Page

Serverless Backend Proxy (functions/api/fetch.js)

Bug Description

The Cloudflare Pages serverless proxy function (functions/api/fetch.js) is used to bypass CORS restrictions by fetching pages on the server side. However, the endpoint has Access-Control-Allow-Origin: * and does not require authorization or enforce rate limits. Anyone on the internet can call it to query external websites.

Steps to Reproduce

  1. Send a request to the /api/fetch endpoint of a deployed instance with any external target URL:
    GET /api/fetch?url=https://icanhazip.com
  2. See that the function successfully proxies the request and returns the external content.

Expected Behavior

The endpoint should restrict requests to origins matching the hosted domain or require a verified token to prevent abuse as an open proxy relay.

Actual Behavior

The endpoint executes fetches for any client, allowing unrestricted open proxy usage.

Environment

Cloudflare Pages Functions runtime

Screenshots

No response

Pre-submission Checklist

  • I have checked existing issues for duplicates.
  • I have tested this in at least one modern browser.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions