CVE-2026-47719: FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading

An unauthenticated attacker (Alice) connects to FUXA’s Socket.IO endpoint and emits a device-webapi-request event whose property.address field names an arbitrary URL. FUXA’s DEVICE_WEBAPI_REQUEST handler at server/runtime/index.js:296 calls axios.get(address) server-side and broadcasts the full response body back on the same event via io.emit. The companion handler DEVICE_PROPERTY at server/runtime/index.js:153 has the same miss against OPC UA and ODBC endpoints. Both handlers skip the isSocketWriteAuthorized() check that the other write-capable events (DEVICE_VALUES at line 182, DEVICE_ENABLE at line 358) call. Alice reads cloud instance metadata, scans internal services, and connects to any OPC UA server or ODBC database the FUXA host can reach, then receives the results.