Hasty Briefsbeta

Inside PostHog: SSRF, ClickHouse SQL Escape and Default Postgres Creds to RCE

2 days ago
https://mdisec.com/inside-posthog-how-ssrf-a-clickhouse-sql-escaping-0day-and-default-postgresql-credentials-formed-an-rce-chain-zdi-25-099-zdi-25-097-zdi-25-096/
Copy Link
  • #PostHog
  • #RCE
  • #SSRF
  • PostHog was selected as a strong candidate for analytics due to its open-source nature and self-hosted capabilities.
  • The team's vendor selection process includes a 24-hour hands-on research window to evaluate products in their environment.
  • PostHog's installation was straightforward, following official documentation, with a focus on understanding its high-level architecture.
  • Multiple Server-Side Request Forgery (SSRF) vulnerabilities were discovered in PostHog, including CVE-2024-9710, CVE-2025-1522, and CVE-2025-1521.
  • A bypass for CVE-2023-46746 was analyzed, revealing that while the test endpoint had solid SSRF validation, the save endpoint did not enforce the same checks.
  • The Rust-based webhook worker was found to trust previously saved internal URLs without re-validation, leading to an SSRF condition.
  • A ClickHouse SQL injection vulnerability was discovered, allowing remote code execution (RCE) through PostgreSQL table functions.
  • The attack chain combined SSRF, ClickHouse SQL injection, and PostgreSQL vulnerabilities to achieve RCE.
  • The Zero Day Initiative (ZDI) played a critical role in the responsible disclosure process, ensuring vulnerabilities were handled transparently.
AboutLogin