CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4658 vulnerabilities reference this CWE, most recent first.
GHSA-55V6-G8PM-PW4C
Vulnerability from github – Published: 2026-04-10 22:09 – Updated: 2026-04-10 22:09GitHub Security Lab (GHSL) Vulnerability Report, rembg: GHSL-2024-161, GHSL-2024-162
The GitHub Security Lab team has identified potential security vulnerabilities in rembg.
We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2024-161 or GHSL-2024-162 as a reference). See also this blog post written by GitHub's Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure.
If you are NOT the correct point of contact for this report, please let us know!
Summary
rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration, which may allow an attacker website to send requests to servers on the internal network and view image responses.
Project
rembg
Tested Version
Details
Issue 1: SSRF via /api/remove (GHSL-2024-161)
The /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server.
async def get_index(
url: str = Query(
default=..., description="URL of the image that has to be processed."
),
commons: CommonQueryParams = Depends(),
):
async with aiohttp.ClientSession() as session:
async with session.get(url) as response:
file = await response.read()
return await asyncify(im_without_bg)(file, commons)
Impact
This issue may lead to Information Disclosure.
Remediation
Ensure that the IP address specified is not a local address. If resolving a domain name, ensure that the resolved IP address is not local.
Proof of Concept
curl -s "http://localhost:7000/api/remove?url=http://0.0.0.0/secret.png" -o output.png
Issue 2: CORS misconfiguration (GHSL-2024-162)
The following CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.
app.add_middleware(
CORSMiddleware,
allow_credentials=True,
allow_origins=["*"],
allow_methods=["*"],
allow_headers=["*"],
)
Impact
This issue may increase the severity of other vulnerabilities.
Remediation
Create an allowlist of specific endpoints that can send cross site requests to the rembg server.
Proof of Concept
An attacker website can host the following code:
const response = await fetch("http://localhost:7000/api/remove?url=https://0.0.0.0/secret.jpg");
If a victim running rembg server were to access the attacker website, the attacker website could read the file secret.jpg from the server hosted on the victim's internal network.
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.
Credit
These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-161 or GHSL-2024-162 in any communication regarding these issues.
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rembg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.75"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T22:09:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# GitHub Security Lab (GHSL) Vulnerability Report, rembg: `GHSL-2024-161`, `GHSL-2024-162`\n\nThe [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [rembg](https://github.com/danielgatis/rembg).\n\nWe are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.\n\nIf at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2024-161` or `GHSL-2024-162` as a reference). See also [this blog post](https://github.blog/2022-04-22-removing-the-stigma-of-a-cve/) written by GitHub\u0027s Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure.\n\nIf you are _NOT_ the correct point of contact for this report, please let us know!\n\n## Summary\n\nrembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration, which may allow an attacker website to send requests to servers on the internal network and view image responses.\n\n## Project\n\nrembg\n\n## Tested Version\n\n[v2.0.57](https://github.com/danielgatis/rembg/releases/tag/v2.0.57)\n\n## Details\n\n### Issue 1: SSRF via `/api/remove` (`GHSL-2024-161`)\n\nThe [`/api/remove`](https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L237) endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server.\n\n```python\n async def get_index(\n url: str = Query(\n default=..., description=\"URL of the image that has to be processed.\"\n ),\n commons: CommonQueryParams = Depends(),\n ):\n async with aiohttp.ClientSession() as session:\n async with session.get(url) as response:\n file = await response.read()\n return await asyncify(im_without_bg)(file, commons)\n```\n\n#### Impact\n\nThis issue may lead to `Information Disclosure`.\n\n#### Remediation\n\nEnsure that the IP address specified is not a local address. If resolving a domain name, ensure that the resolved IP address is not local.\n\n#### Proof of Concept\n\n`curl -s \"http://localhost:7000/api/remove?url=http://0.0.0.0/secret.png\" -o output.png`\n\n\n### Issue 2: CORS misconfiguration (`GHSL-2024-162`)\n\nThe following [CORS middleware](https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93) is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, `allow_credentials` is set to True, which would allow any website to send authenticated cross site requests.\n\n```python\n app.add_middleware(\n CORSMiddleware,\n allow_credentials=True,\n allow_origins=[\"*\"],\n allow_methods=[\"*\"],\n allow_headers=[\"*\"],\n )\n\n```\n\n#### Impact\n\nThis issue may increase the severity of other vulnerabilities.\n\n#### Remediation\n\nCreate an allowlist of specific endpoints that can send cross site requests to the rembg server.\n\n#### Proof of Concept\n\nAn attacker website can host the following code:\n```javascript\nconst response = await fetch(\"http://localhost:7000/api/remove?url=https://0.0.0.0/secret.jpg\");\n```\nIf a victim running rembg server were to access the attacker website, the attacker website could read the file `secret.jpg` from the server hosted on the victim\u0027s internal network.\n\n## GitHub Security Advisories\n\nWe recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).\n\n## Credit\n\nThese issues were discovered and reported by GHSL team member [@Kwstubbs (Kevin Stubbings)](https://github.com/Kwstubbs).\n\n## Contact\n\nYou can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2024-161` or `GHSL-2024-162` in any communication regarding these issues.\n\n## Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
"id": "GHSA-55v6-g8pm-pw4c",
"modified": "2026-04-10T22:09:15Z",
"published": "2026-04-10T22:09:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/danielgatis/rembg/security/advisories/GHSA-55v6-g8pm-pw4c"
},
{
"type": "WEB",
"url": "https://github.com/danielgatis/rembg/commit/07ad0d493057bddf821dcc3e2410eb7e065257c0"
},
{
"type": "PACKAGE",
"url": "https://github.com/danielgatis/rembg"
},
{
"type": "WEB",
"url": "https://github.com/danielgatis/rembg/releases/tag/v2.0.75"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration"
}
GHSA-5658-G88G-9PMW
Vulnerability from github – Published: 2022-09-13 00:00 – Updated: 2022-09-16 00:00SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.
{
"affected": [],
"aliases": [
"CVE-2022-38292"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-12T21:15:00Z",
"severity": "CRITICAL"
},
"details": "SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.",
"id": "GHSA-5658-g88g-9pmw",
"modified": "2022-09-16T00:00:39Z",
"published": "2022-09-13T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38292"
},
{
"type": "WEB",
"url": "https://github.com/slims/slims9_bulian/issues/158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5686-39P2-JCPX
Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-12-22 15:30Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission => 'any', enabling unauthenticated SSRF for internal network scanning and service interaction.
This issue affects OpenSupports: 4.11.0.
{
"affected": [],
"aliases": [
"CVE-2025-10695"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-03T21:15:33Z",
"severity": "MODERATE"
},
"details": "Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker\u2011supplied destination.\u00a0Both endpoints are exposed with permission =\u003e \u0027any\u0027, enabling unauthenticated SSRF for internal network scanning and service interaction.\n\nThis issue affects OpenSupports: 4.11.0.",
"id": "GHSA-5686-39p2-jcpx",
"modified": "2025-12-22T15:30:20Z",
"published": "2025-10-03T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10695"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/freer"
},
{
"type": "WEB",
"url": "https://github.com/opensupports/opensupports"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-56C3-VFP2-5QQJ
Vulnerability from github – Published: 2026-04-30 18:12 – Updated: 2026-05-11 13:29Impact
In the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSRFProtection.validateUrlSync() had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an n8nApiUrl value could cause the server to issue HTTP requests to cloud metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the n8nApiKey is forwarded in the x-n8n-api-key header to the attacker-controlled target.
The first-party HTTP server deployment was not primarily affected — it has a second async validator (validateWebhookUrl) that catches IPv6 addresses.
Impact category: CWE-918 (Server-Side Request Forgery).
Affected
Deployments embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext on versions v2.47.4 through v2.47.13.
Patched
v2.47.14 and later.
- npm:
npx n8n-mcp@latest(or pin to>= 2.47.14) - Docker:
docker pull ghcr.io/czlonkowski/n8n-mcp:latest
Workarounds
If developers cannot upgrade immediately:
- Validate URLs before passing to the SDK — reject any
n8nApiUrlwhose hostname is an IP literal (bracketed IPv6 or dotted IPv4) before callingN8NDocumentationMCPServer/getN8nApiClient(). Accept only URLs with DNS-resolvable hostnames. - Restrict egress at the network layer — block outbound traffic from the n8n-mcp process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local
169.254.0.0/16, and cloud metadata endpoints. Defense-in-depth against this class of issue and recommended even after upgrading. - Do not accept user-controlled
n8nApiUrlvalues — if the project's integration derives the URL from internal configuration only, this vulnerability is not reachable.
Upgrading to v2.47.14 is still strongly recommended.
Credit
Reported by @manthanghasadiya.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n-mcp"
},
"ranges": [
{
"events": [
{
"introduced": "2.47.4"
},
{
"fixed": "2.47.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42449"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-30T18:12:54Z",
"nvd_published_at": "2026-05-07T21:16:30Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn the SDK embedder path (`N8NDocumentationMCPServer` constructor, `getN8nApiClient()`, and `validateInstanceContext()`), the synchronous URL validator in `SSRFProtection.validateUrlSync()` had no IPv6 checks. IPv4-mapped IPv6 addresses such as `http://[::ffff:169.254.169.254]` bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an `n8nApiUrl` value could cause the server to issue HTTP requests to cloud metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the `n8nApiKey` is forwarded in the `x-n8n-api-key` header to the attacker-controlled target.\n\nThe first-party HTTP server deployment was not primarily affected \u2014 it has a second async validator (`validateWebhookUrl`) that catches IPv6 addresses.\n\nImpact category: **CWE-918** (Server-Side Request Forgery).\n\n### Affected\n\nDeployments embedding n8n-mcp as an SDK using `N8NDocumentationMCPServer` or `N8NMCPEngine` with user-supplied `InstanceContext` on versions **v2.47.4 through v2.47.13**.\n\n### Patched\n\n**v2.47.14** and later.\n\n- npm: `npx n8n-mcp@latest` (or pin to `\u003e= 2.47.14`)\n- Docker: `docker pull ghcr.io/czlonkowski/n8n-mcp:latest`\n\n### Workarounds\n\nIf developers cannot upgrade immediately:\n\n- **Validate URLs before passing to the SDK** \u2014 reject any `n8nApiUrl` whose hostname is an IP literal (bracketed IPv6 or dotted IPv4) before calling `N8NDocumentationMCPServer` / `getN8nApiClient()`. Accept only URLs with DNS-resolvable hostnames.\n- **Restrict egress at the network layer** \u2014 block outbound traffic from the n8n-mcp process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local `169.254.0.0/16`, and cloud metadata endpoints. Defense-in-depth against this class of issue and recommended even after upgrading.\n- **Do not accept user-controlled `n8nApiUrl` values** \u2014 if the project\u0027s integration derives the URL from internal configuration only, this vulnerability is not reachable.\n\nUpgrading to v2.47.14 is still strongly recommended.\n\n### Credit\n\nReported by @manthanghasadiya.",
"id": "GHSA-56c3-vfp2-5qqj",
"modified": "2026-05-11T13:29:47Z",
"published": "2026-04-30T18:12:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-56c3-vfp2-5qqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42449"
},
{
"type": "WEB",
"url": "https://github.com/czlonkowski/n8n-mcp/commit/9639f757853149f0cb16663cc8b6b6468f27a25f"
},
{
"type": "PACKAGE",
"url": "https://github.com/czlonkowski/n8n-mcp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "n8n-mcp\u0027s IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders"
}
GHSA-56CV-C5P2-J2WG
Vulnerability from github – Published: 2026-03-12 14:23 – Updated: 2026-03-12 14:23Summary
The /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.
Affected Code
File: /kernel/api/network.go (Lines 153-317)
func forwardProxy(c *gin.Context) {
ret := gulu.Ret.NewResult()
defer c.JSON(http.StatusOK, ret)
arg, ok := util.JsonArg(c, ret)
if !ok {
return
}
destURL := arg["url"].(string)
// VULNERABILITY: Only validates URL format, not destination
if _, e := url.ParseRequestURI(destURL); nil != e {
ret.Code = -1
ret.Msg = "invalid [url]"
return
}
// ... HTTP request is made to user-controlled URL ...
resp, err := request.Send(method, destURL)
// Full response body is returned to the user
bodyData, err := io.ReadAll(resp.Body)
// ...
ret.Data = data // Contains full response body
}
PoC
- First, authenticate with your access auth code and copy the authenticated cookie.
- Now use the request below for SSRF to Access Cloud Metadata.
POST /api/network/forwardProxy HTTP/1.1
Host: <HOST>
Cookie: siyuan=<COOKIE>
Content-Length: 102
{"url":"http://169.254.169.254/metadata/v1/","method":"GET","headers":[],"payload":"","timeout":7000}'
Impact
- Internal Network Reconnaissance: Attackers can scan internal services
- Cloud Credential Theft: Potential access to cloud metadata and IAM credentials
- Data Exfiltration: Server can be used as a proxy to access internal resources
- Firewall Bypass: Requests originate from trusted internal IP
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.9"
},
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32110"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:23:14Z",
"nvd_published_at": "2026-03-11T21:16:17Z",
"severity": "HIGH"
},
"details": "### Summary\nThe `/api/network/forwardProxy` endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.\n\n### Affected Code\nFile: `/kernel/api/network.go` (Lines `153-317`)\n```\nfunc forwardProxy(c *gin.Context) {\n ret := gulu.Ret.NewResult()\n defer c.JSON(http.StatusOK, ret)\n\n arg, ok := util.JsonArg(c, ret)\n if !ok {\n return\n }\n\n destURL := arg[\"url\"].(string)\n // VULNERABILITY: Only validates URL format, not destination\n if _, e := url.ParseRequestURI(destURL); nil != e {\n ret.Code = -1\n ret.Msg = \"invalid [url]\"\n return\n }\n\n // ... HTTP request is made to user-controlled URL ...\n resp, err := request.Send(method, destURL)\n \n // Full response body is returned to the user\n bodyData, err := io.ReadAll(resp.Body)\n // ...\n ret.Data = data // Contains full response body\n}\n```\n### PoC\n- First, authenticate with your access auth code and copy the authenticated cookie.\n- Now use the request below for SSRF to Access Cloud Metadata.\n```\nPOST /api/network/forwardProxy HTTP/1.1\nHost: \u003cHOST\u003e\nCookie: siyuan=\u003cCOOKIE\u003e\nContent-Length: 102\n\n{\"url\":\"http://169.254.169.254/metadata/v1/\",\"method\":\"GET\",\"headers\":[],\"payload\":\"\",\"timeout\":7000}\u0027\n```\n\u003cimg width=\"1230\" height=\"754\" alt=\"Screenshot 2026-03-11 at 1 23 36\u202fAM\" src=\"https://github.com/user-attachments/assets/60486dba-1ccd-4287-8073-b803854756a2\" /\u003e\n\n### Impact\n- Internal Network Reconnaissance: Attackers can scan internal services\n- Cloud Credential Theft: Potential access to cloud metadata and IAM credentials\n- Data Exfiltration: Server can be used as a proxy to access internal resources\n- Firewall Bypass: Requests originate from trusted internal IP",
"id": "GHSA-56cv-c5p2-j2wg",
"modified": "2026-03-12T14:23:14Z",
"published": "2026-03-12T14:23:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32110"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "SiYuan has a Full-Read SSRF via /api/network/forwardProxy"
}
GHSA-56F2-HVWG-5743
Vulnerability from github – Published: 2026-02-17 17:13 – Updated: 2026-02-17 17:13Summary
A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets.
Affected Versions
- npm: openclaw <= 2026.2.1
Patched Versions
- npm: openclaw 2026.2.2 and later
Fix Commits
- 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks)
- 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage)
Details
The Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets.
This was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning).
Exploitability Notes
- Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted
imagearguments into tool calls). - The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.).
- Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP
Metadata-Flavor, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments. - Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present.
Thanks @p80n-sec for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T17:13:35Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nA server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets.\n\n## Affected Versions\n\n- npm: openclaw \u003c= 2026.2.1\n\n## Patched Versions\n\n- npm: openclaw 2026.2.2 and later\n\n## Fix Commits\n\n- 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks)\n- 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage)\n\n## Details\n\nThe Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets.\n\nThis was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning).\n\n## Exploitability Notes\n\n- Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted `image` arguments into tool calls).\n- The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.).\n- Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP `Metadata-Flavor`, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments.\n- Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present.\n\nThanks @p80n-sec for reporting.",
"id": "GHSA-56f2-hvwg-5743",
"modified": "2026-02-17T17:13:35Z",
"published": "2026-02-17T17:13:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9bd64c8a1f91dda602afc1d5246a2ff2be164647"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw affected by SSRF in Image Tool Remote Fetch"
}
GHSA-56MC-83VH-WP99
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 21:30Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through <= 1.12.3.
{
"affected": [],
"aliases": [
"CVE-2026-25385"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T09:16:20Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through \u003c= 1.12.3.",
"id": "GHSA-56mc-83vh-wp99",
"modified": "2026-02-19T21:30:45Z",
"published": "2026-02-19T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25385"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/url-shortify/vulnerability/wordpress-url-shortify-plugin-1-12-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-56P4-CFQW-JX4H
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs POST /internal/models/download and GET /view, allowing attackers to abuse the victim server's credentials to access unauthorized web resources.
{
"affected": [],
"aliases": [
"CVE-2024-12882"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:31Z",
"severity": "HIGH"
},
"details": "comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs `POST /internal/models/download` and `GET /view`, allowing attackers to abuse the victim server\u0027s credentials to access unauthorized web resources.",
"id": "GHSA-56p4-cfqw-jx4h",
"modified": "2025-03-20T12:32:45Z",
"published": "2025-03-20T12:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12882"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e8768cb1-6a80-40c1-9cdf-bcd21f01f85a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-56P9-PG8F-R3QR
Vulnerability from github – Published: 2025-02-27 06:30 – Updated: 2025-02-27 06:30The OneStore Sites plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.1.1 via the class-export.php file. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2024-13905"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T05:15:13Z",
"severity": "MODERATE"
},
"details": "The OneStore Sites plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.1.1 via the class-export.php file. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
"id": "GHSA-56p9-pg8f-r3qr",
"modified": "2025-02-27T06:30:53Z",
"published": "2025-02-27T06:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13905"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/onestore-sites/trunk/classess/class-export.php#L3"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c70d5f-beb3-480e-8ea8-c3ab01ce5a20?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5758-75JC-F6CH
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31A server-side request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could lead to proxied network scans.
{
"affected": [],
"aliases": [
"CVE-2018-7516"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-22T18:29:00Z",
"severity": "HIGH"
},
"details": "A server-side request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could lead to proxied network scans.",
"id": "GHSA-5758-75jc-f6ch",
"modified": "2022-05-13T01:31:52Z",
"published": "2022-05-13T01:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7516"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-079-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103474"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.