Policai AI Policy Tracker Exposes Critical SSRF Vulnerability in Admin Endpoints

A critical Server-Side Request Forgery (SSRF) vulnerability has been identified within the Policai Australian AI Policy Tracker's administrative API. The `/api/admin/analyse-url` endpoint performs a server-side `fetch()` on any user-supplied URL without validation, allowing authenticated attackers to probe internal infrastructure. This flaw is compounded by a related authentication bypass in development mode, significantly lowering the barrier to exploitation.

The vulnerability is located in the `analyse-url` route at line 34 of `src/app/api/admin/analyse-url/route.ts`. The code directly passes a user-controlled `url` variable to the `fetch()` function. This enables attackers to target sensitive internal endpoints, including cloud metadata services like AWS's `http://169.254.169.254` and GCP's `http://metadata.google.internal`, as well as internal services on `localhost` and other hosts on the private network. The same insecure SSRF pattern is replicated in the scraper functionality at `src/app/api/admin/run-scraper/route.ts`.

This security flaw grants potential access to sensitive cloud instance metadata, which can contain credentials and configuration secrets. It also facilitates internal network reconnaissance and port scanning. The presence of this vulnerability in multiple core administrative functions indicates a systemic lack of input validation and security hardening in the application's backend services, posing a severe risk to the integrity and confidentiality of the Policai platform and its underlying infrastructure.