Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4658 vulnerabilities reference this CWE, most recent first.

GHSA-55V6-G8PM-PW4C

Vulnerability from github – Published: 2026-04-10 22:09 – Updated: 2026-04-10 22:09
VLAI
Summary
rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration
Details

GitHub Security Lab (GHSL) Vulnerability Report, rembg: GHSL-2024-161, GHSL-2024-162

The GitHub Security Lab team has identified potential security vulnerabilities in rembg.

We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.

If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2024-161 or GHSL-2024-162 as a reference). See also this blog post written by GitHub's Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure.

If you are NOT the correct point of contact for this report, please let us know!

Summary

rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration, which may allow an attacker website to send requests to servers on the internal network and view image responses.

Project

rembg

Tested Version

v2.0.57

Details

Issue 1: SSRF via /api/remove (GHSL-2024-161)

The /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg server.

 async def get_index(
        url: str = Query(
            default=..., description="URL of the image that has to be processed."
        ),
        commons: CommonQueryParams = Depends(),
    ):
        async with aiohttp.ClientSession() as session:
            async with session.get(url) as response:
                file = await response.read()
                return await asyncify(im_without_bg)(file, commons)

Impact

This issue may lead to Information Disclosure.

Remediation

Ensure that the IP address specified is not a local address. If resolving a domain name, ensure that the resolved IP address is not local.

Proof of Concept

curl -s "http://localhost:7000/api/remove?url=http://0.0.0.0/secret.png" -o output.png

Issue 2: CORS misconfiguration (GHSL-2024-162)

The following CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.

    app.add_middleware(
        CORSMiddleware,
        allow_credentials=True,
        allow_origins=["*"],
        allow_methods=["*"],
        allow_headers=["*"],
    )

Impact

This issue may increase the severity of other vulnerabilities.

Remediation

Create an allowlist of specific endpoints that can send cross site requests to the rembg server.

Proof of Concept

An attacker website can host the following code:

const response = await fetch("http://localhost:7000/api/remove?url=https://0.0.0.0/secret.jpg");

If a victim running rembg server were to access the attacker website, the attacker website could read the file secret.jpg from the server hosted on the victim's internal network.

GitHub Security Advisories

We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.

Credit

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-161 or GHSL-2024-162 in any communication regarding these issues.

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rembg"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.75"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T22:09:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# GitHub Security Lab (GHSL) Vulnerability Report, rembg: `GHSL-2024-161`, `GHSL-2024-162`\n\nThe [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [rembg](https://github.com/danielgatis/rembg).\n\nWe are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.\n\nIf at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2024-161` or `GHSL-2024-162` as a reference). See also [this blog post](https://github.blog/2022-04-22-removing-the-stigma-of-a-cve/) written by GitHub\u0027s Advisory Curation team which explains what CVEs and advisories are, why they are important to track vulnerabilities and keep downstream users informed, the CVE assigning process, and how they are used to keep open source software secure.\n\nIf you are _NOT_ the correct point of contact for this report, please let us know!\n\n## Summary\n\nrembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration, which may allow an attacker website to send requests to servers on the internal network and view image responses.\n\n## Project\n\nrembg\n\n## Tested Version\n\n[v2.0.57](https://github.com/danielgatis/rembg/releases/tag/v2.0.57)\n\n## Details\n\n### Issue 1: SSRF via `/api/remove` (`GHSL-2024-161`)\n\nThe [`/api/remove`](https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L237) endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may  be able to query this endpoint to view pictures hosted on the internal network of the rembg server.\n\n```python\n async def get_index(\n        url: str = Query(\n            default=..., description=\"URL of the image that has to be processed.\"\n        ),\n        commons: CommonQueryParams = Depends(),\n    ):\n        async with aiohttp.ClientSession() as session:\n            async with session.get(url) as response:\n                file = await response.read()\n                return await asyncify(im_without_bg)(file, commons)\n```\n\n#### Impact\n\nThis issue may lead to `Information Disclosure`.\n\n#### Remediation\n\nEnsure that the IP address specified is not a local address. If resolving a domain name, ensure that the resolved IP address is not local.\n\n#### Proof of Concept\n\n`curl -s \"http://localhost:7000/api/remove?url=http://0.0.0.0/secret.png\" -o output.png`\n\n\n### Issue 2: CORS misconfiguration (`GHSL-2024-162`)\n\nThe following [CORS middleware](https://github.com/danielgatis/rembg/blob/d1e00734f8a996abf512a3a5c251c7a9a392c90a/rembg/commands/s_command.py#L93) is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, `allow_credentials` is set to True, which would allow any website to send authenticated cross site requests.\n\n```python\n    app.add_middleware(\n        CORSMiddleware,\n        allow_credentials=True,\n        allow_origins=[\"*\"],\n        allow_methods=[\"*\"],\n        allow_headers=[\"*\"],\n    )\n\n```\n\n#### Impact\n\nThis issue may increase the severity of other vulnerabilities.\n\n#### Remediation\n\nCreate an allowlist of specific endpoints that can send cross site requests to the rembg server.\n\n#### Proof of Concept\n\nAn attacker website can host the following code:\n```javascript\nconst response = await fetch(\"http://localhost:7000/api/remove?url=https://0.0.0.0/secret.jpg\");\n```\nIf a victim running rembg server were to access the attacker website, the attacker website could read the file `secret.jpg` from the server hosted on the victim\u0027s internal network.\n\n## GitHub Security Advisories\n\nWe recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).\n\n## Credit\n\nThese issues were discovered and reported by GHSL team member [@Kwstubbs (Kevin Stubbings)](https://github.com/Kwstubbs).\n\n## Contact\n\nYou can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2024-161` or `GHSL-2024-162` in any communication regarding these issues.\n\n## Disclosure Policy\n\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
  "id": "GHSA-55v6-g8pm-pw4c",
  "modified": "2026-04-10T22:09:15Z",
  "published": "2026-04-10T22:09:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/danielgatis/rembg/security/advisories/GHSA-55v6-g8pm-pw4c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danielgatis/rembg/commit/07ad0d493057bddf821dcc3e2410eb7e065257c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/danielgatis/rembg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danielgatis/rembg/releases/tag/v2.0.75"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration"
}

GHSA-5658-G88G-9PMW

Vulnerability from github – Published: 2022-09-13 00:00 – Updated: 2022-09-16 00:00
VLAI
Details

SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-12T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.",
  "id": "GHSA-5658-g88g-9pmw",
  "modified": "2022-09-16T00:00:39Z",
  "published": "2022-09-13T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38292"
    },
    {
      "type": "WEB",
      "url": "https://github.com/slims/slims9_bulian/issues/158"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5686-39P2-JCPX

Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-12-22 15:30
VLAI
Details

Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission => 'any', enabling unauthenticated SSRF for internal network scanning and service interaction.

This issue affects OpenSupports: 4.11.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T21:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker\u2011supplied destination.\u00a0Both endpoints are exposed with permission =\u003e \u0027any\u0027, enabling unauthenticated SSRF for internal network scanning and service interaction.\n\nThis issue affects OpenSupports: 4.11.0.",
  "id": "GHSA-5686-39p2-jcpx",
  "modified": "2025-12-22T15:30:20Z",
  "published": "2025-10-03T21:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10695"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/freer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensupports/opensupports"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-56C3-VFP2-5QQJ

Vulnerability from github – Published: 2026-04-30 18:12 – Updated: 2026-05-11 13:29
VLAI
Summary
n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders
Details

Impact

In the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSRFProtection.validateUrlSync() had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an n8nApiUrl value could cause the server to issue HTTP requests to cloud metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the n8nApiKey is forwarded in the x-n8n-api-key header to the attacker-controlled target.

The first-party HTTP server deployment was not primarily affected — it has a second async validator (validateWebhookUrl) that catches IPv6 addresses.

Impact category: CWE-918 (Server-Side Request Forgery).

Affected

Deployments embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext on versions v2.47.4 through v2.47.13.

Patched

v2.47.14 and later.

  • npm: npx n8n-mcp@latest (or pin to >= 2.47.14)
  • Docker: docker pull ghcr.io/czlonkowski/n8n-mcp:latest

Workarounds

If developers cannot upgrade immediately:

  • Validate URLs before passing to the SDK — reject any n8nApiUrl whose hostname is an IP literal (bracketed IPv6 or dotted IPv4) before calling N8NDocumentationMCPServer / getN8nApiClient(). Accept only URLs with DNS-resolvable hostnames.
  • Restrict egress at the network layer — block outbound traffic from the n8n-mcp process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local 169.254.0.0/16, and cloud metadata endpoints. Defense-in-depth against this class of issue and recommended even after upgrading.
  • Do not accept user-controlled n8nApiUrl values — if the project's integration derives the URL from internal configuration only, this vulnerability is not reachable.

Upgrading to v2.47.14 is still strongly recommended.

Credit

Reported by @manthanghasadiya.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n-mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.47.4"
            },
            {
              "fixed": "2.47.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T18:12:54Z",
    "nvd_published_at": "2026-05-07T21:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn the SDK embedder path (`N8NDocumentationMCPServer` constructor, `getN8nApiClient()`, and `validateInstanceContext()`), the synchronous URL validator in `SSRFProtection.validateUrlSync()` had no IPv6 checks. IPv4-mapped IPv6 addresses such as `http://[::ffff:169.254.169.254]` bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an `n8nApiUrl` value could cause the server to issue HTTP requests to cloud metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the `n8nApiKey` is forwarded in the `x-n8n-api-key` header to the attacker-controlled target.\n\nThe first-party HTTP server deployment was not primarily affected \u2014 it has a second async validator (`validateWebhookUrl`) that catches IPv6 addresses.\n\nImpact category: **CWE-918** (Server-Side Request Forgery).\n\n### Affected\n\nDeployments embedding n8n-mcp as an SDK using `N8NDocumentationMCPServer` or `N8NMCPEngine` with user-supplied `InstanceContext` on versions **v2.47.4 through v2.47.13**.\n\n### Patched\n\n**v2.47.14** and later.\n\n- npm: `npx n8n-mcp@latest` (or pin to `\u003e= 2.47.14`)\n- Docker: `docker pull ghcr.io/czlonkowski/n8n-mcp:latest`\n\n### Workarounds\n\nIf developers cannot upgrade immediately:\n\n- **Validate URLs before passing to the SDK** \u2014 reject any `n8nApiUrl` whose hostname is an IP literal (bracketed IPv6 or dotted IPv4) before calling `N8NDocumentationMCPServer` / `getN8nApiClient()`. Accept only URLs with DNS-resolvable hostnames.\n- **Restrict egress at the network layer** \u2014 block outbound traffic from the n8n-mcp process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local `169.254.0.0/16`, and cloud metadata endpoints. Defense-in-depth against this class of issue and recommended even after upgrading.\n- **Do not accept user-controlled `n8nApiUrl` values** \u2014 if the project\u0027s integration derives the URL from internal configuration only, this vulnerability is not reachable.\n\nUpgrading to v2.47.14 is still strongly recommended.\n\n### Credit\n\nReported by @manthanghasadiya.",
  "id": "GHSA-56c3-vfp2-5qqj",
  "modified": "2026-05-11T13:29:47Z",
  "published": "2026-04-30T18:12:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-56c3-vfp2-5qqj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/czlonkowski/n8n-mcp/commit/9639f757853149f0cb16663cc8b6b6468f27a25f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/czlonkowski/n8n-mcp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "n8n-mcp\u0027s IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders"
}

GHSA-56CV-C5P2-J2WG

Vulnerability from github – Published: 2026-03-12 14:23 – Updated: 2026-03-12 14:23
VLAI
Summary
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
Details

Summary

The /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.

Affected Code

File: /kernel/api/network.go (Lines 153-317)

func forwardProxy(c *gin.Context) {
    ret := gulu.Ret.NewResult()
    defer c.JSON(http.StatusOK, ret)

    arg, ok := util.JsonArg(c, ret)
    if !ok {
        return
    }

    destURL := arg["url"].(string)
    // VULNERABILITY: Only validates URL format, not destination
    if _, e := url.ParseRequestURI(destURL); nil != e {
        ret.Code = -1
        ret.Msg = "invalid [url]"
        return
    }

    // ... HTTP request is made to user-controlled URL ...
    resp, err := request.Send(method, destURL)

    // Full response body is returned to the user
    bodyData, err := io.ReadAll(resp.Body)
    // ...
    ret.Data = data  // Contains full response body
}

PoC

  • First, authenticate with your access auth code and copy the authenticated cookie.
  • Now use the request below for SSRF to Access Cloud Metadata.
POST /api/network/forwardProxy HTTP/1.1
Host: <HOST>
Cookie: siyuan=<COOKIE>
Content-Length: 102

{"url":"http://169.254.169.254/metadata/v1/","method":"GET","headers":[],"payload":"","timeout":7000}'

Screenshot 2026-03-11 at 1 23 36 AM

Impact

  • Internal Network Reconnaissance: Attackers can scan internal services
  • Cloud Credential Theft: Potential access to cloud metadata and IAM credentials
  • Data Exfiltration: Server can be used as a proxy to access internal resources
  • Firewall Bypass: Requests originate from trusted internal IP
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.5.9"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:23:14Z",
    "nvd_published_at": "2026-03-11T21:16:17Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `/api/network/forwardProxy` endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.\n\n### Affected Code\nFile: `/kernel/api/network.go` (Lines `153-317`)\n```\nfunc forwardProxy(c *gin.Context) {\n    ret := gulu.Ret.NewResult()\n    defer c.JSON(http.StatusOK, ret)\n\n    arg, ok := util.JsonArg(c, ret)\n    if !ok {\n        return\n    }\n\n    destURL := arg[\"url\"].(string)\n    // VULNERABILITY: Only validates URL format, not destination\n    if _, e := url.ParseRequestURI(destURL); nil != e {\n        ret.Code = -1\n        ret.Msg = \"invalid [url]\"\n        return\n    }\n\n    // ... HTTP request is made to user-controlled URL ...\n    resp, err := request.Send(method, destURL)\n    \n    // Full response body is returned to the user\n    bodyData, err := io.ReadAll(resp.Body)\n    // ...\n    ret.Data = data  // Contains full response body\n}\n```\n### PoC\n- First, authenticate with your access auth code and copy the authenticated cookie.\n- Now use the request below for SSRF to Access Cloud Metadata.\n```\nPOST /api/network/forwardProxy HTTP/1.1\nHost: \u003cHOST\u003e\nCookie: siyuan=\u003cCOOKIE\u003e\nContent-Length: 102\n\n{\"url\":\"http://169.254.169.254/metadata/v1/\",\"method\":\"GET\",\"headers\":[],\"payload\":\"\",\"timeout\":7000}\u0027\n```\n\u003cimg width=\"1230\" height=\"754\" alt=\"Screenshot 2026-03-11 at 1 23 36\u202fAM\" src=\"https://github.com/user-attachments/assets/60486dba-1ccd-4287-8073-b803854756a2\" /\u003e\n\n### Impact\n- Internal Network Reconnaissance: Attackers can scan internal services\n- Cloud Credential Theft: Potential access to cloud metadata and IAM credentials\n- Data Exfiltration: Server can be used as a proxy to access internal resources\n- Firewall Bypass: Requests originate from trusted internal IP",
  "id": "GHSA-56cv-c5p2-j2wg",
  "modified": "2026-03-12T14:23:14Z",
  "published": "2026-03-12T14:23:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32110"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan has a Full-Read SSRF via /api/network/forwardProxy"
}

GHSA-56F2-HVWG-5743

Vulnerability from github – Published: 2026-02-17 17:13 – Updated: 2026-02-17 17:13
VLAI
Summary
OpenClaw affected by SSRF in Image Tool Remote Fetch
Details

Summary

A server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets.

Affected Versions

  • npm: openclaw <= 2026.2.1

Patched Versions

  • npm: openclaw 2026.2.2 and later

Fix Commits

  • 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks)
  • 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage)

Details

The Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets.

This was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning).

Exploitability Notes

  • Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted image arguments into tool calls).
  • The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.).
  • Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP Metadata-Flavor, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments.
  • Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present.

Thanks @p80n-sec for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T17:13:35Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA server-side request forgery (SSRF) vulnerability in the Image tool allowed attackers to force OpenClaw to make HTTP requests to arbitrary internal or restricted network targets.\n\n## Affected Versions\n\n- npm: openclaw \u003c= 2026.2.1\n\n## Patched Versions\n\n- npm: openclaw 2026.2.2 and later\n\n## Fix Commits\n\n- 81c68f582d4a9a20d9cca9f367d2da9edc5a65ae (guard remote media fetches with SSRF checks)\n- 9bd64c8a1f91dda602afc1d5246a2ff2be164647 (expand SSRF guard coverage)\n\n## Details\n\nThe Image tool accepts file paths, file:// URLs, data: URLs, and http(s) URLs. In vulnerable versions, http(s) URLs were fetched without SSRF protections, enabling requests to localhost, RFC1918, link-local, and cloud metadata targets.\n\nThis was fixed by routing remote media fetching through the SSRF guard (private/internal IP + hostname blocking, redirect hardening, DNS pinning).\n\n## Exploitability Notes\n\n- Requires attacker-controlled invocation of the Image tool (direct tool access, or a gateway/channel surface that forwards untrusted `image` arguments into tool calls).\n- The image tool expects the fetched content to be an image. Many high-value SSRF targets return text/JSON (for example cloud metadata endpoints), which will typically fail media-type validation. In practice, the most direct confidentiality impact comes from internal endpoints that actually return images (screenshots/renderers, camera snapshots, chart exports, etc.).\n- Remote fetches are GET-only with no custom headers. Some metadata services require special headers or session tokens (for example GCP `Metadata-Flavor`, AWS IMDSv2 token), which can further reduce the likelihood of direct credential theft in some environments.\n- Despite the above constraints, SSRF remains a powerful primitive: it can enable internal network probing and access to unauthenticated/internal HTTP endpoints, and can chain with other weaknesses if present.\n\nThanks @p80n-sec for reporting.",
  "id": "GHSA-56f2-hvwg-5743",
  "modified": "2026-02-17T17:13:35Z",
  "published": "2026-02-17T17:13:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/9bd64c8a1f91dda602afc1d5246a2ff2be164647"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw affected by SSRF in Image Tool Remote Fetch"
}

GHSA-56MC-83VH-WP99

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 21:30
VLAI
Details

Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through <= 1.12.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25385"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T09:16:20Z",
    "severity": "MODERATE"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through \u003c= 1.12.3.",
  "id": "GHSA-56mc-83vh-wp99",
  "modified": "2026-02-19T21:30:45Z",
  "published": "2026-02-19T18:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25385"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/url-shortify/vulnerability/wordpress-url-shortify-plugin-1-12-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56P4-CFQW-JX4H

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs POST /internal/models/download and GET /view, allowing attackers to abuse the victim server's credentials to access unauthorized web resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:31Z",
    "severity": "HIGH"
  },
  "details": "comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs `POST /internal/models/download` and `GET /view`, allowing attackers to abuse the victim server\u0027s credentials to access unauthorized web resources.",
  "id": "GHSA-56p4-cfqw-jx4h",
  "modified": "2025-03-20T12:32:45Z",
  "published": "2025-03-20T12:32:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12882"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/e8768cb1-6a80-40c1-9cdf-bcd21f01f85a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56P9-PG8F-R3QR

Vulnerability from github – Published: 2025-02-27 06:30 – Updated: 2025-02-27 06:30
VLAI
Details

The OneStore Sites plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.1.1 via the class-export.php file. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T05:15:13Z",
    "severity": "MODERATE"
  },
  "details": "The OneStore Sites plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.1.1 via the class-export.php file. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
  "id": "GHSA-56p9-pg8f-r3qr",
  "modified": "2025-02-27T06:30:53Z",
  "published": "2025-02-27T06:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13905"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/onestore-sites/trunk/classess/class-export.php#L3"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c70d5f-beb3-480e-8ea8-c3ab01ce5a20?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5758-75JC-F6CH

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

A server-side request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could lead to proxied network scans.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-22T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "A server-side request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could lead to proxied network scans.",
  "id": "GHSA-5758-75jc-f6ch",
  "modified": "2022-05-13T01:31:52Z",
  "published": "2022-05-13T01:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7516"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-079-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103474"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.