CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4633 vulnerabilities reference this CWE, most recent first.
GHSA-R6M2-CJ32-WG84
Vulnerability from github – Published: 2023-10-09 09:30 – Updated: 2024-02-01 03:30The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.
{
"affected": [],
"aliases": [
"CVE-2023-39854"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-09T07:15:24Z",
"severity": "MODERATE"
},
"details": "The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.",
"id": "GHSA-r6m2-cj32-wg84",
"modified": "2024-02-01T03:30:22Z",
"published": "2023-10-09T09:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39854"
},
{
"type": "WEB",
"url": "https://wiki.notveg.ninja/blog/CVE-2023-39854"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6M7-VHGH-X9QF
Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-05 21:30Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through <= 1.2.6.
{
"affected": [],
"aliases": [
"CVE-2026-28036"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T06:16:36Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through \u003c= 1.2.6.",
"id": "GHSA-r6m7-vhgh-x9qf",
"modified": "2026-03-05T21:30:43Z",
"published": "2026-03-05T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28036"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/ratatouille/vulnerability/wordpress-ratatouille-theme-1-2-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R747-33R4-RMJW
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-11 16:12Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-c4qg-j8jg-42q5. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T16:12:55Z",
"nvd_published_at": "2026-05-06T20:16:35Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-c4qg-j8jg-42q5. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.",
"id": "GHSA-r747-33r4-rmjw",
"modified": "2026-05-11T16:12:55Z",
"published": "2026-05-06T21:31:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44117"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation",
"withdrawn": "2026-05-11T16:12:55Z"
}
GHSA-R7M8-874R-4G5V
Vulnerability from github – Published: 2026-03-30 21:31 – Updated: 2026-03-30 21:31Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php.
{
"affected": [],
"aliases": [
"CVE-2026-29925"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T19:16:24Z",
"severity": "HIGH"
},
"details": "Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php.",
"id": "GHSA-r7m8-874r-4g5v",
"modified": "2026-03-30T21:31:04Z",
"published": "2026-03-30T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29925"
},
{
"type": "WEB",
"url": "https://gist.github.com/TrekLaps/5b2c72106d950dab0cd1897eb93200f1"
},
{
"type": "WEB",
"url": "https://github.com/invoiceninja/invoiceninja/blob/v5-stable/app/Http/Requests/Setup/CheckDatabaseRequest.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7QF-PRJ4-7JHP
Vulnerability from github – Published: 2022-05-14 03:38 – Updated: 2022-05-14 03:38A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly.
{
"affected": [],
"aliases": [
"CVE-2017-6201"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-06T16:29:00Z",
"severity": "HIGH"
},
"details": "A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly.",
"id": "GHSA-r7qf-prj4-7jhp",
"modified": "2022-05-14T03:38:26Z",
"published": "2022-05-14T03:38:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6201"
},
{
"type": "WEB",
"url": "https://github.com/sandstorm-io/sandstorm/commit/164997fb958effbc90c5328c166706280a84aaa1"
},
{
"type": "WEB",
"url": "https://devco.re/blog/2018/01/26/Sandstorm-Security-Review-CVE-2017-6200-en"
},
{
"type": "WEB",
"url": "https://sandstorm.io/news/2017-03-02-security-review"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7W5-7G5J-XMXJ
Vulnerability from github – Published: 2023-10-23 21:30 – Updated: 2024-04-04 08:53umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-45966"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T21:15:08Z",
"severity": "HIGH"
},
"details": "umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability.",
"id": "GHSA-r7w5-7g5j-xmxj",
"modified": "2024-04-04T08:53:37Z",
"published": "2023-10-23T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45966"
},
{
"type": "WEB",
"url": "https://github.com/umputun/remark42/issues/1677"
},
{
"type": "WEB",
"url": "https://github.com/jet-pentest/CVE-2023-45966"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7W7-9XR2-QQ2R
Vulnerability from github – Published: 2026-04-16 23:00 – Updated: 2026-06-06 00:59Summary
langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
The practical impact is limited because the fetched response body is passed directly to Pillow's Image.open() to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).
Affected versions
langchain-openai< 1.1.14
Patched versions
langchain-openai>= 1.1.14 (requireslangchain-core>= 1.2.31)
Affected code
File: libs/partners/openai/langchain_openai/chat_models/base.py — _url_to_size()
The vulnerable pattern was a validate-then-fetch with separate DNS resolution:
validate_safe_url(image_source, allow_private=False, allow_http=True)
# ... separate network operation with independent DNS resolution ...
response = httpx.get(image_source, timeout=timeout)
Fix
The fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that:
- Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)
- Pins the connection to the validated IP, eliminating the DNS rebinding window
- Disables redirect following to prevent redirect-based SSRF bypasses
This fix was released in langchain-openai 1.1.14.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langchain-openai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41488"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T23:00:12Z",
"nvd_published_at": "2026-04-24T21:16:19Z",
"severity": "LOW"
},
"details": "## Summary\n\n`langchain-openai`\u0027s `_url_to_size()` helper (used by `get_num_tokens_from_messages` for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.\n\nThe practical impact is limited because the fetched response body is passed directly to Pillow\u0027s `Image.open()` to extract dimensions \u2014 the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).\n\n## Affected versions\n\n- `langchain-openai` \u003c 1.1.14\n\n## Patched versions\n\n- `langchain-openai` \u003e= 1.1.14 (requires `langchain-core` \u003e= 1.2.31)\n\n## Affected code\n\n**File:** `libs/partners/openai/langchain_openai/chat_models/base.py` \u2014 `_url_to_size()`\n\nThe vulnerable pattern was a validate-then-fetch with separate DNS resolution:\n\n```python\nvalidate_safe_url(image_source, allow_private=False, allow_http=True)\n# ... separate network operation with independent DNS resolution ...\nresponse = httpx.get(image_source, timeout=timeout)\n```\n\n## Fix\n\nThe fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (`SSRFSafeSyncTransport` from `langchain-core`) that:\n\n- Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)\n- Pins the connection to the validated IP, eliminating the DNS rebinding window\n- Disables redirect following to prevent redirect-based SSRF bypasses\n\nThis fix was released in langchain-openai 1.1.14.",
"id": "GHSA-r7w7-9xr2-qq2r",
"modified": "2026-06-06T00:59:02Z",
"published": "2026-04-16T23:00:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41488"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langchain"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain-openai/PYSEC-2026-76.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding"
}
GHSA-R7WF-XJ64-53F2
Vulnerability from github – Published: 2025-10-24 00:30 – Updated: 2025-10-24 00:30Server-side request forgery (ssrf) in Azure Compute Gallery allows an authorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2025-59503"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T22:15:48Z",
"severity": "CRITICAL"
},
"details": "Server-side request forgery (ssrf) in Azure Compute Gallery allows an authorized attacker to elevate privileges over a network.",
"id": "GHSA-r7wf-xj64-53f2",
"modified": "2025-10-24T00:30:52Z",
"published": "2025-10-24T00:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59503"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59503"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R826-HJQ2-M422
Vulnerability from github – Published: 2025-12-16 09:31 – Updated: 2026-01-20 15:32Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3.
{
"affected": [],
"aliases": [
"CVE-2025-67989"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T09:16:00Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through \u003c= 4.1.3.",
"id": "GHSA-r826-hjq2-m422",
"modified": "2026-01-20T15:32:16Z",
"published": "2025-12-16T09:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67989"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/kerge/vulnerability/wordpress-kerge-theme-4-1-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/kerge/vulnerability/wordpress-kerge-theme-4-1-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R865-X64G-F9MM
Vulnerability from github – Published: 2026-06-26 09:30 – Updated: 2026-06-26 09:30The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests.
Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.
{
"affected": [],
"aliases": [
"CVE-2026-2053"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T08:16:21Z",
"severity": "HIGH"
},
"details": "The WSO2 API Manager\u0027s message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests.\n\nSuccessful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.",
"id": "GHSA-r865-x64g-f9mm",
"modified": "2026-06-26T09:30:46Z",
"published": "2026-06-26T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2053"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.