CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4658 vulnerabilities reference this CWE, most recent first.
GHSA-PXG5-H34R-7Q8P
Vulnerability from github – Published: 2023-09-20 23:04 – Updated: 2024-09-20 19:59A SSRF vulnerability exists, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, returning any data from the internal network.
the application is using a whitelist, but the whitelist can be bypassed with @ and encoded value of @ (%40) GET /proxy/?url=http://development.demo.geonode.org%40geoserver:8080/geoserver/web This will trick the application that the first host is a whitelisted address, but the browser will use @ or %40 as a credential to the host geoserver on port 8080, this will return the data to that host on the response.

{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.2"
},
"package": {
"ecosystem": "PyPI",
"name": "GeoNode"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "4.1.3.post1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42439"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-20T23:04:44Z",
"nvd_published_at": "2023-09-15T21:15:11Z",
"severity": "HIGH"
},
"details": "A SSRF vulnerability exists, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, returning any data from the internal network.\n\nthe application is using a whitelist, but the whitelist can be bypassed with @ and encoded value of @ (%40) GET /proxy/?url=http://development.demo.geonode.org%40geoserver:8080/geoserver/web \nThis will trick the application that the first host is a whitelisted address, but the browser will use @ or %40 as a credential to the host geoserver on port 8080, this will return the data to that host on the response.\n\n\n\n",
"id": "GHSA-pxg5-h34r-7q8p",
"modified": "2024-09-20T19:59:58Z",
"published": "2023-09-20T23:04:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/GeoNode/geonode/security/advisories/GHSA-pxg5-h34r-7q8p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42439"
},
{
"type": "WEB",
"url": "https://github.com/GeoNode/geonode/commit/79ac6e70419c2e0261548bed91c159b54ff35b8d"
},
{
"type": "PACKAGE",
"url": "https://github.com/GeoNode/geonode"
},
{
"type": "WEB",
"url": "https://github.com/GeoNode/geonode/releases/tag/4.1.3"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/geonode/PYSEC-2023-176.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "GeoNode vulnerable to SSRF Bypass to return internal host data"
}
GHSA-PXP3-C847-MX5J
Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38{
"affected": [],
"aliases": [
"CVE-2018-20596"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-30T18:29:00Z",
"severity": "CRITICAL"
},
"details": "Jspxcms v9.0.0 allows SSRF.",
"id": "GHSA-pxp3-c847-mx5j",
"modified": "2022-05-14T01:38:24Z",
"published": "2022-05-14T01:38:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20596"
},
{
"type": "WEB",
"url": "https://gitee.com/jspxcms/Jspxcms/issues/IQAHK"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q24H-5RQ3-63J9
Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-03-10 21:57@uppy/companion prior to version 3.3.1 is vulnerable to incorrect authorization. A user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@uppy/companion"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0528"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-10T21:57:56Z",
"nvd_published_at": "2022-03-03T07:15:00Z",
"severity": "HIGH"
},
"details": "@uppy/companion prior to version 3.3.1 is vulnerable to incorrect authorization. A user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name.",
"id": "GHSA-q24h-5rq3-63j9",
"modified": "2022-03-10T21:57:56Z",
"published": "2022-03-04T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0528"
},
{
"type": "WEB",
"url": "https://github.com/transloadit/uppy/commit/267c34045a1e62c98406d8c31261c604a11e544a"
},
{
"type": "PACKAGE",
"url": "https://github.com/transloadit/uppy"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/8b060cc3-2420-468e-8293-b9216620175b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization in @uppy/companion"
}
GHSA-Q25C-C977-4CMH
Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-07-24 17:34A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component in langchain-community (langchain-community.retrievers.web_research.WebResearchRetriever). The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This flaw enables attackers to execute port scans, access local services, and in some scenarios, read instance metadata from cloud environments. The vulnerability is particularly concerning as it can be exploited to abuse the Web Explorer server as a proxy for web attacks on third parties and interact with servers in the local network, including reading their response data. This could potentially lead to arbitrary code execution, depending on the nature of the local services. The vulnerability is limited to GET requests, as POST requests are not possible, but the impact on confidentiality, integrity, and availability is significant due to the potential for stolen credentials and state-changing interactions with internal APIs.
The patched code: * Requires users to opt-in * Suggests using a proxy to prevent requests to local addresses
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langchain-community"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-3095"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-06T22:41:06Z",
"nvd_published_at": "2024-06-06T19:15:59Z",
"severity": "MODERATE"
},
"details": "A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component in langchain-community (langchain-community.retrievers.web_research.WebResearchRetriever). The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This flaw enables attackers to execute port scans, access local services, and in some scenarios, read instance metadata from cloud environments. The vulnerability is particularly concerning as it can be exploited to abuse the Web Explorer server as a proxy for web attacks on third parties and interact with servers in the local network, including reading their response data. This could potentially lead to arbitrary code execution, depending on the nature of the local services. The vulnerability is limited to GET requests, as POST requests are not possible, but the impact on confidentiality, integrity, and availability is significant due to the potential for stolen credentials and state-changing interactions with internal APIs.\n\nThe patched code:\n* Requires users to opt-in\n* Suggests using a proxy to prevent requests to local addresses",
"id": "GHSA-q25c-c977-4cmh",
"modified": "2024-07-24T17:34:39Z",
"published": "2024-06-06T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3095"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain/pull/24451"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langchain"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-community%3D%3D0.2.9"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever"
}
GHSA-Q28R-579J-9QXQ
Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 15:31Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino.
This issue affects Apache Gravitino: from 1.0.0 through 1.2.1.
Users are recommended to upgrade to version 1.3.0, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-49876"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T10:16:29Z",
"severity": "MODERATE"
},
"details": "Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino.\n\nThis issue affects Apache Gravitino: from 1.0.0 through 1.2.1.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue.",
"id": "GHSA-q28r-579j-9qxq",
"modified": "2026-07-13T15:31:44Z",
"published": "2026-07-13T12:35:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49876"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/2ffkj771d6dp1okh2cdtody969hoo1zs"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/13/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q28W-JQ68-2WFW
Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-27 19:00The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks
{
"affected": [],
"aliases": [
"CVE-2022-3247"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-25T17:15:00Z",
"severity": "MODERATE"
},
"details": "The Blog2Social: Social Media Auto Post \u0026 Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks",
"id": "GHSA-q28w-jq68-2wfw",
"modified": "2022-10-27T19:00:29Z",
"published": "2022-10-25T19:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3247"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/ee312f22-ca58-451d-a1cb-3f78a6e5ecaf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q2GC-2P96-WXG9
Vulnerability from github – Published: 2026-07-14 03:31 – Updated: 2026-07-14 03:31A security vulnerability has been detected in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/tool_web_fetch.go. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed with the label "not planned".
{
"affected": [],
"aliases": [
"CVE-2026-15620"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T01:16:16Z",
"severity": "LOW"
},
"details": "A security vulnerability has been detected in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/tool_web_fetch.go. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed with the label \"not planned\".",
"id": "GHSA-q2gc-2p96-wxg9",
"modified": "2026-07-14T03:31:34Z",
"published": "2026-07-14T03:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15620"
},
{
"type": "WEB",
"url": "https://github.com/mosaxiv/clawlet/issues/14"
},
{
"type": "WEB",
"url": "https://github.com/mosaxiv/clawlet"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15620"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/855795"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/378123"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/378123/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q2P7-5M6X-29X8
Vulnerability from github – Published: 2026-05-19 18:32 – Updated: 2026-05-19 18:32Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
{
"affected": [],
"aliases": [
"CVE-2026-47356"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T17:16:22Z",
"severity": "HIGH"
},
"details": "Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.",
"id": "GHSA-q2p7-5m6x-29x8",
"modified": "2026-05-19T18:32:13Z",
"published": "2026-05-19T18:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47356"
},
{
"type": "WEB",
"url": "https://github.com/tenable/terrascan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q2PQ-WMHC-M7HV
Vulnerability from github – Published: 2024-10-22 18:32 – Updated: 2024-10-22 21:30An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).
{
"affected": [],
"aliases": [
"CVE-2024-45518"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-22T17:15:03Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).",
"id": "GHSA-q2pq-wmhc-m7hv",
"modified": "2024-10-22T21:30:37Z",
"published": "2024-10-22T18:32:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45518"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q2Q9-Q8MV-PV59
Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2024-10-30 18:30SparkShop <=1.1.7 is vulnerable to server-side request forgery (SSRF). This vulnerability allows attacks to scan ports on the Intranet or local network where the server resides, attack applications running on the Intranet or local network, or read metadata on the cloud server.
{
"affected": [],
"aliases": [
"CVE-2024-48107"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T21:15:09Z",
"severity": "MODERATE"
},
"details": "SparkShop \u003c=1.1.7 is vulnerable to server-side request forgery (SSRF). This vulnerability allows attacks to scan ports on the Intranet or local network where the server resides, attack applications running on the Intranet or local network, or read metadata on the cloud server.",
"id": "GHSA-q2q9-q8mv-pv59",
"modified": "2024-10-30T18:30:48Z",
"published": "2024-10-28T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48107"
},
{
"type": "WEB",
"url": "https://gist.github.com/RMAX2000/ebb654016e5b8a5b55aa6d8a7f2f321a#file-cve-2024-48107"
},
{
"type": "WEB",
"url": "https://gitee.com/sparkshop/sparkshop"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.