Go Fastdfs Web
Monthly
Server-side request forgery in perfree go-fastdfs-web versions up to 1.3.7 allows remote unauthenticated attackers to coerce the application into issuing arbitrary outbound HTTP requests via the checkServer function exposed at the /install/checkServer installation endpoint. Publicly available exploit code exists per VulDB, and the vendor did not respond to disclosure, leaving deployments without a confirmed fix. The flaw is reachable network-wide with no authentication and low complexity, raising the practical risk of internal network reconnaissance and cloud metadata abuse.
Server-side request forgery in perfree go-fastdfs-web versions up to 1.3.7 allows remote unauthenticated attackers to coerce the application into issuing arbitrary outbound HTTP requests via the checkServer function exposed at the /install/checkServer installation endpoint. Publicly available exploit code exists per VulDB, and the vendor did not respond to disclosure, leaving deployments without a confirmed fix. The flaw is reachable network-wide with no authentication and low complexity, raising the practical risk of internal network reconnaissance and cloud metadata abuse.