TV5MONDE — SSRF + CORS misconfiguration PoC

This page demonstrates the vulnerability of the /api/proxy/media endpoint on https://www.tv5mondeplus.com:

Result: an attacker hosting a page on an arbitrary origin (this PoC page) can use the TV5MONDE proxy to read content cross-origin that the browser's Same-Origin Policy would otherwise block, and to relay HTTP requests through the TV5MONDE backend IP to any URL reachable via a chain of redirects originating from *.akamaized.net.

Test 1 — Direct fetch of https://images.akamaized.net/test.m3u8 from this origin (browser):
Running...

Expected behaviour: the browser should refuse to read the response because the upstream CDN does not return any Access-Control-Allow-Origin header. This protects users — an attacker should NOT be able to read this content from an arbitrary origin.

Test 2 — Same URL fetched via the TV5MONDE proxy:
Running...

The proxy returns Access-Control-Allow-Origin: *, allowing this page to read the response despite SOP. The proxy follows the upstream 307 redirect issued by images.akamaized.net and returns the body of cdn.myacg.com.tw/goods_images/gt_123400.png — content that is not even on the akamaized.net domain — effectively turning the proxy into an open relay for any HTTP target reachable via a redirect chain starting on the whitelisted domain.

Test 3 — Compare lengths to confirm the proxy actually fetched the upstream content:
Running...

Reproduction

  1. Host this HTML file on any HTTPS origin (e.g. https://attacker.example/poc.html).
  2. Open the page in a modern browser.
  3. Observe that the Test 1 fetch is blocked by the browser CORS check (no Access-Control-Allow-Origin from the upstream), while Test 2 succeeds because the proxy adds Access-Control-Allow-Origin: *.

Network details

The proxy endpoint expects a url query parameter. It accepts hosts matching *.akamaized.net and refuses any other host (403 "Domain not allowed"). It also refuses URLs that resolve to private IP ranges (403 "Access to private IP ranges is forbidden"). However, it follows HTTP redirects without re-applying the whitelist on the redirect target — the response shown in Test 2 is in fact the body of a cdn.myacg.com.tw resource, fetched after a single 307 redirect from images.akamaized.net.

Test 4 — Cross-tenant content access (different Akamai customer, completely unrelated to TV5MONDE):
Running...

This request fetches a third-party customer's AWS Lambda endpoint hosted on the same shared akamaized.net CDN as TV5MONDE. The proxy whitelist is so broad it allows arbitrary cross-tenant traffic. The browser would normally not be able to read the JSON body (no upstream CORS); the TV5MONDE proxy makes it readable by adding Access-Control-Allow-Origin: * — effectively turning www.tv5mondeplus.com into a CORS-stripping relay for the entire Akamai shared CDN.