CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4638 vulnerabilities reference this CWE, most recent first.
GHSA-R7W7-9XR2-QQ2R
Vulnerability from github – Published: 2026-04-16 23:00 – Updated: 2026-06-06 00:59Summary
langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
The practical impact is limited because the fetched response body is passed directly to Pillow's Image.open() to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).
Affected versions
langchain-openai< 1.1.14
Patched versions
langchain-openai>= 1.1.14 (requireslangchain-core>= 1.2.31)
Affected code
File: libs/partners/openai/langchain_openai/chat_models/base.py — _url_to_size()
The vulnerable pattern was a validate-then-fetch with separate DNS resolution:
validate_safe_url(image_source, allow_private=False, allow_http=True)
# ... separate network operation with independent DNS resolution ...
response = httpx.get(image_source, timeout=timeout)
Fix
The fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that:
- Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)
- Pins the connection to the validated IP, eliminating the DNS rebinding window
- Disables redirect following to prevent redirect-based SSRF bypasses
This fix was released in langchain-openai 1.1.14.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langchain-openai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41488"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T23:00:12Z",
"nvd_published_at": "2026-04-24T21:16:19Z",
"severity": "LOW"
},
"details": "## Summary\n\n`langchain-openai`\u0027s `_url_to_size()` helper (used by `get_num_tokens_from_messages` for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.\n\nThe practical impact is limited because the fetched response body is passed directly to Pillow\u0027s `Image.open()` to extract dimensions \u2014 the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).\n\n## Affected versions\n\n- `langchain-openai` \u003c 1.1.14\n\n## Patched versions\n\n- `langchain-openai` \u003e= 1.1.14 (requires `langchain-core` \u003e= 1.2.31)\n\n## Affected code\n\n**File:** `libs/partners/openai/langchain_openai/chat_models/base.py` \u2014 `_url_to_size()`\n\nThe vulnerable pattern was a validate-then-fetch with separate DNS resolution:\n\n```python\nvalidate_safe_url(image_source, allow_private=False, allow_http=True)\n# ... separate network operation with independent DNS resolution ...\nresponse = httpx.get(image_source, timeout=timeout)\n```\n\n## Fix\n\nThe fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (`SSRFSafeSyncTransport` from `langchain-core`) that:\n\n- Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)\n- Pins the connection to the validated IP, eliminating the DNS rebinding window\n- Disables redirect following to prevent redirect-based SSRF bypasses\n\nThis fix was released in langchain-openai 1.1.14.",
"id": "GHSA-r7w7-9xr2-qq2r",
"modified": "2026-06-06T00:59:02Z",
"published": "2026-04-16T23:00:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41488"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langchain"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain-openai/PYSEC-2026-76.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding"
}
GHSA-R7WF-XJ64-53F2
Vulnerability from github – Published: 2025-10-24 00:30 – Updated: 2025-10-24 00:30Server-side request forgery (ssrf) in Azure Compute Gallery allows an authorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2025-59503"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T22:15:48Z",
"severity": "CRITICAL"
},
"details": "Server-side request forgery (ssrf) in Azure Compute Gallery allows an authorized attacker to elevate privileges over a network.",
"id": "GHSA-r7wf-xj64-53f2",
"modified": "2025-10-24T00:30:52Z",
"published": "2025-10-24T00:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59503"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59503"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R826-HJQ2-M422
Vulnerability from github – Published: 2025-12-16 09:31 – Updated: 2026-01-20 15:32Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3.
{
"affected": [],
"aliases": [
"CVE-2025-67989"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T09:16:00Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through \u003c= 4.1.3.",
"id": "GHSA-r826-hjq2-m422",
"modified": "2026-01-20T15:32:16Z",
"published": "2025-12-16T09:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67989"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/kerge/vulnerability/wordpress-kerge-theme-4-1-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/kerge/vulnerability/wordpress-kerge-theme-4-1-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R865-X64G-F9MM
Vulnerability from github – Published: 2026-06-26 09:30 – Updated: 2026-06-26 09:30The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests.
Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.
{
"affected": [],
"aliases": [
"CVE-2026-2053"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T08:16:21Z",
"severity": "HIGH"
},
"details": "The WSO2 API Manager\u0027s message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests.\n\nSuccessful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.",
"id": "GHSA-r865-x64g-f9mm",
"modified": "2026-06-26T09:30:46Z",
"published": "2026-06-26T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2053"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-R8C8-Q2JQ-WJQ4
Vulnerability from github – Published: 2024-03-07 21:30 – Updated: 2024-08-06 15:30Server Side Request Forgery (SSRF) vulnerability in hcengineering Huly Platform v.0.6.202 allows attackers to run arbitrary code via upload of crafted SVG file.
{
"affected": [],
"aliases": [
"CVE-2024-27707"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-07T21:15:08Z",
"severity": "MODERATE"
},
"details": "Server Side Request Forgery (SSRF) vulnerability in hcengineering Huly Platform v.0.6.202 allows attackers to run arbitrary code via upload of crafted SVG file.",
"id": "GHSA-r8c8-q2jq-wjq4",
"modified": "2024-08-06T15:30:47Z",
"published": "2024-03-07T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27707"
},
{
"type": "WEB",
"url": "https://github.com/b-hermes/vulnerability-research/tree/main/CVE-2024-27707"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8J5-8747-88CM
Vulnerability from github – Published: 2026-05-14 20:55 – Updated: 2026-06-09 10:26Summary
The @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the converter then produces tools whose URL points at internal services on the agent host.
A separate prefix-bypass also affected the discovery-time check: the previous startsWith('http://localhost') guard let URLs like http://localhost.evil.com through.
Sister advisory
This is the npm/TypeScript counterpart of GHSA-39j6-4867-gg4w / CVE-2026-44661 on the Python utcp-http package. Same vulnerability, same fix shape, same reporter.
Versions and patch state
@utcp/http <= 1.1.1— vulnerable. Both the loopback-redirect (http://127.0.0.1) and the non-loopback internal-IP variants (e.g.http://169.254.169.254,http://10.0.0.5) succeed. Note: thestreamable_httpandssecallToolStreamingpaths in 1.1.1 are TODO placeholders and don't actually fetch URLs, so the runtime SSRF surface in these protocols is currently confined to discovery — a future implementation must also callensureSecureUrlbefore issuing the request.@utcp/http 1.1.2— full fix. Runtime revalidation incallToolcloses the non-loopback variants; theOpenApiConverterrejects, at conversion time, any spec fetched from a non-loopback source that declares a loopbackservers[0].url, closing the loopback-redirect variant.
Impact
A remote attacker who can convince the agent (via the LLM context, prompt injection, or a tool-discovery surface) to register their HTTPS OpenAPI URL can:
- Map internal networks behind the agent.
- Read AWS/GCP IAM credentials from cloud metadata endpoints (http://169.254.169.254, http://metadata.google.internal).
- Reach unauthenticated internal services exposed on loopback (Elasticsearch, Redis HTTP, internal admin panels, the agent's own HTTP server).
- Have responses returned to the LLM, which combined with prompt injection enables exfiltration back to the attacker.
Patch
Commit on dev: 21f63e6.
New helper packages/http/src/_security.ts exposes isSecureUrl, isLoopbackUrl, ensureSecureUrl. Hostname-based validation closes the prefix bypass (http://localhost.evil.com → rejected). All three protocols' registerManual now call ensureSecureUrl(url, 'manual discovery'); callTool re-checks the resolved URL with ensureSecureUrl(url, 'tool invocation') immediately before the axios request. OpenApiConverter rejects remote spec → loopback server.
Workarounds
For users who cannot upgrade immediately:
- Refuse to call registerManual with any URL controlled by an untrusted party, even over HTTPS.
- Restrict outbound network access from the host running the agent so internal addresses (RFC1918, 169.254.0.0/16, loopback) are unreachable.
Credit
Discovered and reported by @YLChen-007 against the Python sibling implementation (universal-tool-calling-protocol/python-utcp#83). The TypeScript port shared the same code shape and the same vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "npm",
"name": "@utcp/http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45366"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:55:05Z",
"nvd_published_at": "2026-05-28T22:17:00Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `@utcp/http` package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. `registerManual()` validates the discovery URL against an HTTPS / loopback allowlist, but `callTool()` reuses the resolved `toolCallTemplate.url` directly without revalidating, and the `OpenApiConverter` blindly trusts whatever `servers[0].url` an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. `servers: [{ url: \"http://127.0.0.1:9090\" }]` or `servers: [{ url: \"http://169.254.169.254\" }]`; the converter then produces tools whose URL points at internal services on the agent host.\n\nA separate prefix-bypass also affected the discovery-time check: the previous `startsWith(\u0027http://localhost\u0027)` guard let URLs like `http://localhost.evil.com` through.\n\n## Sister advisory\n\nThis is the npm/TypeScript counterpart of [GHSA-39j6-4867-gg4w / CVE-2026-44661](https://github.com/universal-tool-calling-protocol/python-utcp/security/advisories/GHSA-39j6-4867-gg4w) on the Python `utcp-http` package. Same vulnerability, same fix shape, same reporter.\n\n## Versions and patch state\n\n- `@utcp/http \u003c= 1.1.1` \u2014 vulnerable. Both the loopback-redirect (`http://127.0.0.1`) and the non-loopback internal-IP variants (e.g. `http://169.254.169.254`, `http://10.0.0.5`) succeed. Note: the `streamable_http` and `sse` `callToolStreaming` paths in 1.1.1 are TODO placeholders and don\u0027t actually fetch URLs, so the runtime SSRF surface in these protocols is currently confined to discovery \u2014 a future implementation must also call `ensureSecureUrl` before issuing the request.\n- `@utcp/http 1.1.2` \u2014 full fix. Runtime revalidation in `callTool` closes the non-loopback variants; the `OpenApiConverter` rejects, at conversion time, any spec fetched from a non-loopback source that declares a loopback `servers[0].url`, closing the loopback-redirect variant.\n\n## Impact\n\nA remote attacker who can convince the agent (via the LLM context, prompt injection, or a tool-discovery surface) to register their HTTPS OpenAPI URL can:\n- Map internal networks behind the agent.\n- Read AWS/GCP IAM credentials from cloud metadata endpoints (`http://169.254.169.254`, `http://metadata.google.internal`).\n- Reach unauthenticated internal services exposed on loopback (Elasticsearch, Redis HTTP, internal admin panels, the agent\u0027s own HTTP server).\n- Have responses returned to the LLM, which combined with prompt injection enables exfiltration back to the attacker.\n\n## Patch\n\nCommit on `dev`: 21f63e6.\n\nNew helper `packages/http/src/_security.ts` exposes `isSecureUrl`, `isLoopbackUrl`, `ensureSecureUrl`. Hostname-based validation closes the prefix bypass (`http://localhost.evil.com` \u2192 rejected). All three protocols\u0027 `registerManual` now call `ensureSecureUrl(url, \u0027manual discovery\u0027)`; `callTool` re-checks the resolved URL with `ensureSecureUrl(url, \u0027tool invocation\u0027)` immediately before the axios request. `OpenApiConverter` rejects remote spec \u2192 loopback server.\n\n## Workarounds\n\nFor users who cannot upgrade immediately:\n- Refuse to call `registerManual` with any URL controlled by an untrusted party, even over HTTPS.\n- Restrict outbound network access from the host running the agent so internal addresses (RFC1918, 169.254.0.0/16, loopback) are unreachable.\n\n## Credit\n\nDiscovered and reported by [@YLChen-007](https://github.com/YLChen-007) against the Python sibling implementation (universal-tool-calling-protocol/python-utcp#83). The TypeScript port shared the same code shape and the same vulnerability.",
"id": "GHSA-r8j5-8747-88cm",
"modified": "2026-06-09T10:26:31Z",
"published": "2026-05-14T20:55:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/universal-tool-calling-protocol/typescript-utcp/security/advisories/GHSA-r8j5-8747-88cm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45366"
},
{
"type": "WEB",
"url": "https://github.com/universal-tool-calling-protocol/python-utcp/issues/83"
},
{
"type": "PACKAGE",
"url": "https://github.com/universal-tool-calling-protocol/typescript-utcp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol"
}
GHSA-R8WP-FJ58-XQX3
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46IBM WebSphere Application Server 7.0, 8.0, and 8.5 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197502.
{
"affected": [],
"aliases": [
"CVE-2021-20480"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-08T13:15:00Z",
"severity": "MODERATE"
},
"details": "IBM WebSphere Application Server 7.0, 8.0, and 8.5 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197502.",
"id": "GHSA-r8wp-fj58-xqx3",
"modified": "2022-05-24T17:46:53Z",
"published": "2022-05-24T17:46:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20480"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/197502"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6441063"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R929-J7C3-45VR
Vulnerability from github – Published: 2022-05-17 00:01 – Updated: 2022-05-25 00:00The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks
{
"affected": [],
"aliases": [
"CVE-2022-1398"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-16T15:15:00Z",
"severity": "MODERATE"
},
"details": "The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks",
"id": "GHSA-r929-j7c3-45vr",
"modified": "2022-05-25T00:00:23Z",
"published": "2022-05-17T00:01:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1398"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/5440d177-e995-403e-b2c9-42ceda14579e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R92Q-JWG4-7CXV
Vulnerability from github – Published: 2024-06-05 00:30 – Updated: 2024-06-05 00:30A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172, 10, and 127 through regular expressions and limit access protocols to HTTP and HTTPS, attackers can still bypass these restrictions using alternative representations of IP addresses and accessing other ports running on localhost. This vulnerability enables attackers to access any asset on the internal network, attack web services on the internal network, scan hosts on the internal network, and potentially access AWS metadata endpoints. The vulnerability is due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
{
"affected": [],
"aliases": [
"CVE-2024-4084"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-05T00:15:09Z",
"severity": "HIGH"
},
"details": "A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172, 10, and 127 through regular expressions and limit access protocols to HTTP and HTTPS, attackers can still bypass these restrictions using alternative representations of IP addresses and accessing other ports running on localhost. This vulnerability enables attackers to access any asset on the internal network, attack web services on the internal network, scan hosts on the internal network, and potentially access AWS metadata endpoints. The vulnerability is due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.",
"id": "GHSA-r92q-jwg4-7cxv",
"modified": "2024-06-05T00:30:49Z",
"published": "2024-06-05T00:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4084"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/bf44517e-a07d-4f54-89b4-3b05fca2a008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R95C-3GX6-F23P
Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2021-12-16 00:02IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 214616.
{
"affected": [],
"aliases": [
"CVE-2021-39057"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-13T19:15:00Z",
"severity": "HIGH"
},
"details": "IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 214616.",
"id": "GHSA-r95c-3gx6-f23p",
"modified": "2021-12-16T00:02:37Z",
"published": "2021-12-14T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39057"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214616"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6525346"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.