Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4640 vulnerabilities reference this CWE, most recent first.

GHSA-QMW5-54CP-96W5

Vulnerability from github – Published: 2025-11-18 09:30 – Updated: 2025-11-18 09:30
VLAI
Details

The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the url parameter in the [syndicate_local] shortcode. This is due to the use of wp_remote_get() instead of wp_safe_remote_get() which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-18T09:15:49Z",
    "severity": "MODERATE"
  },
  "details": "The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_safe_remote_get()` which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks.",
  "id": "GHSA-qmw5-54cp-96w5",
  "modified": "2025-11-18T09:30:52Z",
  "published": "2025-11-18T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12962"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L41"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L64"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7774cdfd-622a-4608-9efd-273923a0d0aa?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP2P-M8V3-MGHG

Vulnerability from github – Published: 2022-10-14 12:00 – Updated: 2022-10-14 12:00
VLAI
Details

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-13T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.",
  "id": "GHSA-qp2p-m8v3-mghg",
  "modified": "2022-10-14T12:00:17Z",
  "published": "2022-10-14T12:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jayus0821/insight/blob/master/ClipperCMS%20SSRF2.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP4C-XG64-7C6X

Vulnerability from github – Published: 2026-03-12 14:51 – Updated: 2026-04-15 20:46
VLAI
Summary
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects.

The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.

### Patches

Patched in @backstage/plugin-auth-backend version 0.27.1. The fix disables HTTP redirect following when fetching CIMD metadata documents.

### Workarounds

Disable the experimental CIMD feature by removing or setting auth.experimentalClientIdMetadataDocuments.enabled to false in your app-config. This is the default configuration. Alternatively, restrict allowedClientIdPatterns to specific trusted domains rather than using the default wildcard pattern.

### References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/plugin-auth-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:51:02Z",
    "nvd_published_at": "2026-03-12T19:16:18Z",
    "severity": "LOW"
  },
  "details": "### Impact                                                                                                                                                                         \n                                                           \n  A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD \n  metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects.\n                          \n  The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly\n   enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected.\n\n  ### Patches\n\n  Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents.\n\n  ### Workarounds\n\n  Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration.\n   Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern.\n\n  ### References\n\n  - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)\n  - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)",
  "id": "GHSA-qp4c-xg64-7c6x",
  "modified": "2026-04-15T20:46:59Z",
  "published": "2026-03-12T14:51:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/backstage/backstage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch"
}

GHSA-QP8J-P87F-C8CC

Vulnerability from github – Published: 2025-04-07 16:54 – Updated: 2025-04-10 01:55
VLAI
Summary
LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback
Details

Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. The vulnerability exists in the LNURL authentication callback process where the application makes HTTP requests to user-provided callback URLs and follows redirects without proper validation.

When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.

This vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal network locations, potentially exposing sensitive information or accessing internal services that should not be accessible from the internet.

Steps to Reproduce

  1. Create a new wallet account to get an admin key:
curl -X POST http://target:5000/api/v1/account -d '{"name":"test"}'
  1. Use the obtained admin key to send a crafted LNURL authentication request:
curl -X POST http://target:5000/api/v1/lnurlauth \
  -H "X-Api-Key: <admin_key>" \
  -H "Content-Type: application/json" \
  -d '{
    "callback": "http://target-internal-server/?tag=login&k1=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
    "k1": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
    "sig": "0"*128,
    "key": "0"*64
  }'

The application will make an HTTP request to the internal URL specified in the callback parameter and return its contents in the response, allowing access to internal resources that should not be accessible.

Mitigations

  • Implement strict URL validation for callback URLs, ensuring they only point to allowed domains and networks.
  • Use a whitelist of allowed domains and IP ranges for callback URLs.
  • Disable redirect following in HTTP requests or implement strict redirect validation.
  • Consider using a proxy service that restricts access to internal networks when making external HTTP requests.

Impact

This vulnerability allows authenticated attackers to access internal network resources that should not be accessible from the internet. While authentication is required to exploit this vulnerability, any user who can create a wallet gets the necessary access level. The vulnerability can be used to read internal files, access internal services, and potentially expose sensitive information from the internal network.

Disclosure Policy

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lnbits"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.12.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-07T16:54:36Z",
    "nvd_published_at": "2025-04-06T20:15:15Z",
    "severity": "CRITICAL"
  },
  "details": "# Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System\n\n## Disclaimer\n\nThis vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.\n\n## Description\n\nA Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits\u0027 LNURL authentication handling functionality. The vulnerability exists in the LNURL authentication callback process where the application makes HTTP requests to user-provided callback URLs and follows redirects without proper validation.\n\nWhen processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn\u0027t properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.\n\nThis vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal network locations, potentially exposing sensitive information or accessing internal services that should not be accessible from the internet.\n\n## Steps to Reproduce\n\n1. Create a new wallet account to get an admin key:\n\n```\ncurl -X POST http://target:5000/api/v1/account -d \u0027{\"name\":\"test\"}\u0027\n```\n\n2. Use the obtained admin key to send a crafted LNURL authentication request:\n\n```\ncurl -X POST http://target:5000/api/v1/lnurlauth \\\n  -H \"X-Api-Key: \u003cadmin_key\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"callback\": \"http://target-internal-server/?tag=login\u0026k1=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\",\n    \"k1\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\",\n    \"sig\": \"0\"*128,\n    \"key\": \"0\"*64\n  }\u0027\n```\n\nThe application will make an HTTP request to the internal URL specified in the callback parameter and return its contents in the response, allowing access to internal resources that should not be accessible.\n\n## Mitigations\n\n- Implement strict URL validation for callback URLs, ensuring they only point to allowed domains and networks.\n- Use a whitelist of allowed domains and IP ranges for callback URLs.\n- Disable redirect following in HTTP requests or implement strict redirect validation.\n- Consider using a proxy service that restricts access to internal networks when making external HTTP requests.\n\n## Impact\n\nThis vulnerability allows authenticated attackers to access internal network resources that should not be accessible from the internet. While authentication is required to exploit this vulnerability, any user who can create a wallet gets the necessary access level. The vulnerability can be used to read internal files, access internal services, and potentially expose sensitive information from the internal network.\n\n## Disclosure Policy\n\nThis bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.",
  "id": "GHSA-qp8j-p87f-c8cc",
  "modified": "2025-04-10T01:55:57Z",
  "published": "2025-04-07T16:54:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32013"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lnbits/lnbits"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lnbits/PYSEC-2025-16.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback"
}

GHSA-QPJ9-QCWX-8JV2

Vulnerability from github – Published: 2025-06-19 14:29 – Updated: 2025-06-20 14:19
VLAI
Summary
PowSyBl Core XML Reader allows XXE and SSRF
Details

Impact

What kind of vulnerability is it? Who is impacted? In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.

Am I impacted?

You are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.

Patches

com.powsybl:powsybl-commons:6.7.2 and higher

References

powsybl-core v6.7.2

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.7.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.powsybl:powsybl-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-19T14:29:40Z",
    "nvd_published_at": "2025-06-19T22:15:19Z",
    "severity": "LOW"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nIn certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack.\nThis allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system.\nThe vulnerable class is `com.powsybl.commons.xml.XmlReader` which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.\n\n#### Am I impacted?\nYou are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.\n\n### Patches\ncom.powsybl:powsybl-commons:6.7.2 and higher\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
  "id": "GHSA-qpj9-qcwx-8jv2",
  "modified": "2025-06-20T14:19:17Z",
  "published": "2025-06-19T14:29:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-qpj9-qcwx-8jv2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/powsybl/powsybl-core/commit/e6c7c4997ae8758b54a2f23ce1a499e25113acdc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/powsybl/powsybl-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PowSyBl Core XML Reader allows XXE and SSRF"
}

GHSA-QPR4-C339-7VQ8

Vulnerability from github – Published: 2025-09-04 19:24 – Updated: 2025-09-05 16:10
VLAI
Summary
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter
Details

Summary

When using Astro's Cloudflare adapter (@astrojs/cloudflare) configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint, which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin.

PoC

  1. Create a new minimal Astro project (astro@5.13.3)

  2. Configure it to use the Cloudflare adapter (@astrojs/cloudflare@12.6.5) and server output:

```js // astro.config.mjs import { defineConfig } from 'astro/config'; import cloudflare from '@astrojs/cloudflare';

export default defineConfig({ output: 'server', adapter: cloudflare(), }); ```

  1. Deploy to Cloudflare Pages or Workers

  2. Append /_image?href=https://placehold.co/600x400 to the deployment URL.

  3. This will serve the placeholder image from the unauthorised placehold.co domain.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized content. This includes the risk of server-side request forgery (SSRF) and by extension cross-site scripting (XSS) if a user follows a link to a maliciously crafted URL.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@astrojs/cloudflare"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.3"
            },
            {
              "fixed": "12.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-04T19:24:11Z",
    "nvd_published_at": "2025-09-05T00:15:32Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen using Astro\u0027s Cloudflare adapter (`@astrojs/cloudflare`) configured with `output: \u0027server\u0027` while using the default `imageService: \u0027compile\u0027`, the generated image optimization endpoint doesn\u0027t check the URLs it receives, allowing content from unauthorized third-party domains to be served.\n\n### Details\n\nOn-demand rendered sites built with Astro include an `/_image` endpoint, which returns optimized versions of images.\n\nThe `/_image` endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the [`image.domains`](https://docs.astro.build/en/reference/configuration-reference/#imagedomains) or [`image.remotePatterns`](https://docs.astro.build/en/reference/configuration-reference/#imageremotepatterns) options).\n\nHowever, a bug in impacted versions of the `@astrojs/cloudflare` adapter for deployment on Cloudflare\u2019s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin.\n\n### PoC\n\n1. Create a new minimal Astro project (`astro@5.13.3`)\n\n2. Configure it to use the Cloudflare adapter (`@astrojs/cloudflare@12.6.5`) and server output:\n\n   ```js\n   // astro.config.mjs\n   import { defineConfig } from \u0027astro/config\u0027;\n   import cloudflare from \u0027@astrojs/cloudflare\u0027;\n\n   export default defineConfig({\n     output: \u0027server\u0027,\n     adapter: cloudflare(),\n   });\n   ```\n\n3. Deploy to Cloudflare Pages or Workers\n\n4. Append `/_image?href=https://placehold.co/600x400` to the deployment URL.\n\n7. This will serve the placeholder image from the unauthorised `placehold.co` domain.\n\n### Impact\n\nAllows a non-authorized third-party to create URLs on an impacted site\u2019s origin that serve unauthorized content. This includes the risk of server-side request forgery (SSRF) and by extension cross-site scripting (XSS) if a user follows a link to a maliciously crafted URL.",
  "id": "GHSA-qpr4-c339-7vq8",
  "modified": "2025-09-05T16:10:42Z",
  "published": "2025-09-04T19:24:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-qpr4-c339-7vq8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58179"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withastro/astro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter"
}

GHSA-QQ22-JJ8X-4WWV

Vulnerability from github – Published: 2024-05-03 20:29 – Updated: 2025-02-21 16:11
VLAI
Summary
Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull
Details

Impact

An authenticated user who has access to a game server is able to bypass the previously implemented access control (https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.

Workarounds

Enabling the api.disable_remote_download option or updating to the latest version of Wings are the only known workarounds.

Patches

https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pterodactyl/wings"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-441",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-03T20:29:59Z",
    "nvd_published_at": "2024-05-03T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAn authenticated user who has access to a game server is able to bypass the previously implemented access control (https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.\n\n### Workarounds\n\nEnabling the `api.disable_remote_download` option or updating to the latest version of Wings are the only known workarounds.\n\n### Patches\n\nhttps://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8",
  "id": "GHSA-qq22-jj8x-4wwv",
  "modified": "2025-02-21T16:11:49Z",
  "published": "2024-05-03T20:29:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-qq22-jj8x-4wwv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34068"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pterodactyl/wings"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2815"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull"
}

GHSA-QQ3X-34H5-GRMG

Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-17 15:34
VLAI
Details

Server-Side Request Forgery (SSRF) vulnerability in Ctera Portal 8.1.x (8.1.1417.24) allows remote attackers to induce the server to make arbitrary HTTP requests via a crafted HTML file containing an iframe.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T18:16:12Z",
    "severity": "HIGH"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in Ctera Portal 8.1.x (8.1.1417.24) allows remote attackers to induce the server to make arbitrary HTTP requests via a crafted HTML file containing an iframe.",
  "id": "GHSA-qq3x-34h5-grmg",
  "modified": "2025-12-17T15:34:52Z",
  "published": "2025-12-16T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52196"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/simonecris/99baeb07fe6e1803d461e44031819cd3"
    },
    {
      "type": "WEB",
      "url": "https://kb.ctera.com/docs/81x-portal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ4X-R2PP-5QFW

Vulnerability from github – Published: 2024-07-22 12:30 – Updated: 2024-07-22 12:30
VLAI
Details

Server-Side Request Forgery (SSRF) vulnerability in Bernhard Kux JSON Content Importer.This issue affects JSON Content Importer: from n/a through 1.5.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-22T11:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in Bernhard Kux JSON Content Importer.This issue affects JSON Content Importer: from n/a through 1.5.6.",
  "id": "GHSA-qq4x-r2pp-5qfw",
  "modified": "2024-07-22T12:30:38Z",
  "published": "2024-07-22T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38723"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/json-content-importer/wordpress-get-use-apis-json-content-importer-plugin-1-5-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ52-64C9-PCW8

Vulnerability from github – Published: 2023-07-17 18:31 – Updated: 2024-04-04 06:10
VLAI
Details

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-17T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost fails to properly restrict requests to\u00a0localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited\u00a0blind SSRF.\n\n",
  "id": "GHSA-qq52-64c9-pcw8",
  "modified": "2024-04-04T06:10:52Z",
  "published": "2023-07-17T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3577"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.