Flowintel
Monthly
Server-side request forgery in FlowIntel up to version 3.3.0 allows a low-privileged authenticated user to coerce the application server into issuing HTTP HEAD requests to attacker-specified destinations-including loopback addresses, RFC 1918 private ranges, link-local cloud metadata endpoints, and other restricted network resources-via the external reference URL probe feature in app/case/task.py. The root cause is absent URL scheme filtering and missing resolved-IP validation before the outbound request is dispatched. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV, though the upstream fix commit confirms the flaw's existence and scope.
Server-side request forgery in FlowIntel up to version 3.3.0 allows a low-privileged authenticated user to coerce the application server into issuing HTTP HEAD requests to attacker-specified destinations-including loopback addresses, RFC 1918 private ranges, link-local cloud metadata endpoints, and other restricted network resources-via the external reference URL probe feature in app/case/task.py. The root cause is absent URL scheme filtering and missing resolved-IP validation before the outbound request is dispatched. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV, though the upstream fix commit confirms the flaw's existence and scope.