Activepieces
Monthly
Server-side request forgery in Activepieces through version 0.83.0 enables authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests to attacker-controlled destinations via the `handleUrlFile` function in the File URL Handler component. The vulnerability spans the entire documented release history from 0.1 to 0.83.0, and a public exploit write-up is available on GitHub, materially lowering the exploitation barrier. The vendor did not respond to responsible disclosure, meaning no patch has been released at time of analysis and no official remediation guidance exists.
Server-side request forgery in Activepieces through version 0.83.0 enables authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests to attacker-controlled destinations via the `handleUrlFile` function in the File URL Handler component. The vulnerability spans the entire documented release history from 0.1 to 0.83.0, and a public exploit write-up is available on GitHub, materially lowering the exploitation barrier. The vendor did not respond to responsible disclosure, meaning no patch has been released at time of analysis and no official remediation guidance exists.