Skip to main content

Repomix

1 CVEs product

Monthly

CVE-2026-59702 CRITICAL PATCH Act Now

Server-side request forgery in Repomix's hosted API (POST /api/pack) lets unauthenticated remote attackers coerce the server into making arbitrary outbound requests. Because the endpoint passes user-supplied URLs to git clone without validating the http://, https://, or file:// schemes, an attacker can reach internal-only network addresses, cloud metadata endpoints (e.g. GCP), and read local filesystem paths. VulnCheck reported the flaw and a vendor fix exists; no public exploit is identified at time of analysis.

SSRF Repomix
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Server-side request forgery in Repomix's hosted API (POST /api/pack) lets unauthenticated remote attackers coerce the server into making arbitrary outbound requests. Because the endpoint passes user-supplied URLs to git clone without validating the http://, https://, or file:// schemes, an attacker can reach internal-only network addresses, cloud metadata endpoints (e.g. GCP), and read local filesystem paths. VulnCheck reported the flaw and a vendor fix exists; no public exploit is identified at time of analysis.

SSRF Repomix
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy