Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in router-for-me CLIProxyAPI 6.9.29 allows authenticated remote attackers to manipulate the url parameter in the API Interface handler to perform arbitrary network requests on behalf of the server. The vulnerability has a publicly available exploit and vendor communication attempts were unsuccessful, though the low CVSS score (2.1) and requirement for authenticated access limit real-world impact compared to unauthenticated SSRF vulnerabilities.
Technical ContextAI
The vulnerability exists in the API management interface component (internal/api/handlers/management/api_tools.go) where user-supplied URL input is processed without proper validation or sanitization. This is a classic Server-Side Request Forgery (CWE-918) attack where an authenticated user can craft a malicious url parameter that causes the CLIProxyAPI server to initiate outbound HTTP requests to arbitrary destinations. The affected product is CLIProxyAPI, a reverse proxy or API gateway tool used by router-for-me, which processes API requests and forwards them - making it particularly susceptible to SSRF when request parameters are not adequately validated before being used to construct outbound requests.
RemediationAI
No vendor-released patch identified at time of analysis. The vendor's non-response to early disclosure means users cannot rely on official updates. Recommended mitigations: (1) Restrict network access to CLIProxyAPI's management API endpoint to trusted administrative hosts only via firewall or network ACLs - this directly limits who can send malicious url parameters. (2) Implement input validation and URL whitelist controls at the application level by modifying internal/api/handlers/management/api_tools.go to reject non-whitelisted destination URLs and validate that url parameters conform to expected formats (e.g., only allow URLs to specific internal services). (3) Disable the vulnerable API endpoint or feature if not actively used in production. (4) Monitor outbound connections from CLIProxyAPI for suspicious destinations (internal IP ranges, localhost, cloud metadata services) using IDS or network logging. (5) Run CLIProxyAPI with minimal network privileges - use container security policies or host firewall rules to block outbound requests to unauthorized ranges. Evaluate migration to an actively maintained reverse proxy or API gateway product if CLIProxyAPI is unmaintained.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28403
GHSA-v2c6-3phc-2r62