EUVD-2026-14258
GHSA-29mf-95fh-hwxf
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Tags
Description
A vulnerability was determined in trueleaf ApiFlow 0.9.7. The impacted element is the function validateUrlSecurity of the file packages/server/src/service/proxy/http_proxy.service.ts of the component URL Validation Handler. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Analysis
A Server-Side Request Forgery (SSRF) vulnerability exists in the validateUrlSecurity function within trueleaf ApiFlow version 0.9.7's URL validation handler. This flaw allows unauthenticated remote attackers to manipulate server-side requests to access internal resources or perform actions on behalf of the server. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running trueleaf ApiFlow 0.9.7 and assess their exposure to untrusted networks; immediately implement network segmentation or WAF rules to restrict access to the validateUrlSecurity endpoint. Within 7 days: Deploy compensating controls including URL allowlisting, egress filtering to block internal IP ranges, and enhanced logging on affected systems; evaluate feasibility of upgrading to a patched version or alternative product. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today