Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network endpoint (PR:N/UI:N/AC:L); SSRF crosses a trust boundary to internal/metadata systems (S:C) with high confidentiality (C:H) and only minor integrity impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers to access private network addresses, GCP metadata services, or local filesystem paths.
AnalysisAI
Server-side request forgery in Repomix's hosted API (POST /api/pack) lets unauthenticated remote attackers coerce the server into making arbitrary outbound requests. Because the endpoint passes user-supplied URLs to git clone without validating the http://, https://, or file:// schemes, an attacker can reach internal-only network addresses, cloud metadata endpoints (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run Repomix in its server/web mode with the POST /api/pack endpoint network-reachable by the attacker; per CVSS PR:N/UI:N/AC:L/AT:N no authentication, no user interaction, and no special preconditions are needed against such a deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N, score 9.2) describes a network-reachable, low-complexity, fully unauthenticated flaw with high confidentiality impact on both the vulnerable system and a subsequent system (SC:H) - consistent with SSRF that pivots to internal services and metadata. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a hosted Repomix instance sends an unauthenticated POST /api/pack request with a repository URL of http://169.254.169.254/computeMetadata/v1/ (GCP metadata) or file:///etc/passwd. Repomix passes the URL to git clone, the server fetches the internal resource, and the attacker recovers cloud credentials or local file contents from the response. … |
| Remediation | Patch available per vendor advisory - an upstream fix commit exists (https://github.com/CrazyForks/repomix/commit/c748b524f41225e7fc6f89ad0084520901a453cf); a released patched version is not independently confirmed from the provided data, so upgrade to the latest Repomix release that incorporates this commit and verify the fix is present. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Apply the latest Repomix security patch to all hosted API instances and notify all users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42298
GHSA-5wj3-m77q-j278