Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery (SSRF) in devlikeapro WAHA up to version 2026.3.4 allows authenticated remote attackers to forge requests from the server via the media.controller.ts API endpoint, enabling potential reconnaissance, internal resource access, and lateral movement attacks. Publicly available exploit code exists and the vendor has not responded to disclosure efforts.
Technical ContextAI
The vulnerability exists in the API Request Handler component, specifically in the src/api/media.controller.ts file, which processes media-related API requests. The flaw is rooted in CWE-918 (Server-Side Request Forgery), where the application fails to properly validate or restrict URLs constructed from user-controlled input before making server-initiated HTTP requests. This allows attackers to abuse the server's network position to access internal resources, cloud metadata endpoints, or services not directly exposed to the attacker. The WAHA platform (likely a WhatsApp/messaging automation tool based on naming conventions) uses Node.js/TypeScript and exposes this functionality through its REST API layer.
RemediationAI
No vendor-released patch identified at time of analysis, and the vendor has not responded to disclosure communications. Immediate mitigation requires upgrading to a version beyond 2026.3.4 if released, or implementing network-level controls. As interim compensating controls: (1) Restrict access to the media API endpoint (/api/media or related routes) to trusted networks only via WAF or reverse proxy rules-this reduces the attack surface to internal/authenticated users; (2) Implement strict URL validation and allowlisting on any media URL parameters processed by the media.controller.ts handler, blocking internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1) and metadata service endpoints (169.254.169.254, 127.0.0.1:8000); (3) Disable or isolate the media handling feature if not actively required; (4) Monitor outbound connections from the WAHA service for unexpected destinations. Monitor vendor communication channels for patch releases and consider forking or switching to maintained alternatives if the vendor remains unresponsive.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25655