Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 8 maven packages depend on org.apache.fesod:fesod-sheet (6 direct, 2 indirect)
Ecosystem-wide dependent count for version 2.0.2-incubating.
DescriptionCVE.org
Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.
AnalysisAI
Server-Side Request Forgery in Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows unauthenticated remote attackers to trigger outbound HTTP requests from the server to internal or restricted network resources by supplying a crafted image URL to the UrlImageConverter component. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, making this trivially reachable against any exposed instance. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
Apache Fesod (Incubating) is an Apache Software Foundation incubator project for spreadsheet processing in Java. The vulnerable component is UrlImageConverter within the fesod-sheet module, which fetches images from caller-supplied URLs during spreadsheet rendering or export. CWE-918 (Server-Side Request Forgery) describes the root cause: the component makes outbound HTTP requests using attacker-controlled input without validating the destination host or IP range against an allowlist. This allows the server to act as a proxy to internal infrastructure. The fix in PR #917 introduces a new CidrBlock.java class - a CIDR-based network address matcher - used to implement an IP allowlist for the UrlImageConverter's outbound fetch logic, blocking requests to private/reserved address spaces. Affected CPE: cpe:2.3:a:apache_software_foundation:apache_fesod_(incubating):*:*:*:*:*:*:*:*.
RemediationAI
Upgrade Apache Fesod (Incubating) fesod-sheet to version 2.0.2-incubating, which is confirmed as the vendor-released fix per GitHub release tag https://github.com/apache/fesod/releases/tag/2.0.2-incubating and the Apache advisory at https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj. The patch introduces CIDR-based IP allowlisting in the UrlImageConverter component to block requests to internal address ranges. If immediate upgrade is not possible, a compensating control is to restrict outbound network access from the application server using host-based firewall rules or cloud security groups, specifically blocking access to RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254/32). This network-level control is effective but adds operational overhead and must be maintained separately from the application. Applications that legitimately need to fetch images from internal URLs will need those ranges explicitly whitelisted after upgrading to 2.0.2-incubating.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33622
GHSA-vqc2-c9jh-3jjv