Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4652 vulnerabilities reference this CWE, most recent first.

GHSA-5J4W-5V7W-7FVV

Vulnerability from github – Published: 2026-03-27 03:31 – Updated: 2026-03-27 03:31
VLAI
Details

A vulnerability was identified in Page-Replica Page Replica up to e4a7f52e75093ee318b4d5a9a9db6751050d2ad0. The impacted element is the function sitemap.fetch of the file /sitemap of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-27T02:16:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in Page-Replica Page Replica up to e4a7f52e75093ee318b4d5a9a9db6751050d2ad0. The impacted element is the function sitemap.fetch of the file /sitemap of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-5j4w-5v7w-7fvv",
  "modified": "2026-03-27T03:31:32Z",
  "published": "2026-03-27T03:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4907"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/page_replica.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.353658"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.353658"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.777447"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5J6H-79MJ-QFQ2

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2025-10-22 00:32
VLAI
Details

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-24T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).",
  "id": "GHSA-5j6h-79mj-qfq2",
  "modified": "2025-10-22T00:32:03Z",
  "published": "2022-05-24T17:43:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21973"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21973"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2021-0002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J74-V2XH-7CPV

Vulnerability from github – Published: 2026-07-15 00:31 – Updated: 2026-07-15 00:31
VLAI
Details

CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T22:17:00Z",
    "severity": "HIGH"
  },
  "details": "CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.",
  "id": "GHSA-5j74-v2xh-7cpv",
  "modified": "2026-07-15T00:31:42Z",
  "published": "2026-07-15T00:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48290"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-80.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J8C-469M-FQ24

Vulnerability from github – Published: 2024-07-31 09:30 – Updated: 2025-02-07 18:31
VLAI
Details

A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-31T07:15:02Z",
    "severity": "CRITICAL"
  },
  "details": "A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery.\u00a0This issue only affects GravityZone Console versions before 6.38.1-5\u00a0running only on premise.",
  "id": "GHSA-5j8c-469m-fq24",
  "modified": "2025-02-07T18:31:16Z",
  "published": "2024-07-31T09:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6980"
    },
    {
      "type": "WEB",
      "url": "https://www.bitdefender.com/consumer/support/support/security-advisories/verbose-error-handling-issue-in-gravityzone-update-server-proxy-service"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5JCF-C5RG-RMM8

Vulnerability from github – Published: 2018-01-22 13:31 – Updated: 2023-01-26 20:24
VLAI
Summary
paperclip Server-Side Request Forgery vulnerability
Details

Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "paperclip"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.4"
            },
            {
              "fixed": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-0889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:16:31Z",
    "nvd_published_at": "2017-11-13T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the `Paperclip::UriAdapter` class. Attackers may be able to access information about internal network resources.",
  "id": "GHSA-5jcf-c5rg-rmm8",
  "modified": "2023-01-26T20:24:38Z",
  "published": "2018-01-22T13:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thoughtbot/paperclip/pull/2435"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/209430"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/paperclip/CVE-2017-0889.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thoughtbot/paperclip"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "paperclip Server-Side Request Forgery vulnerability"
}

GHSA-5JG7-JG3H-568W

Vulnerability from github – Published: 2025-02-27 09:31 – Updated: 2025-03-11 18:32
VLAI
Details

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.16.8 via the 'download' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T07:15:33Z",
    "severity": "MODERATE"
  },
  "details": "The Total Upkeep \u2013 WordPress Backup Plugin plus Restore \u0026 Migrate by BoldGrid plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.16.8 via the \u0027download\u0027 function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
  "id": "GHSA-5jg7-jg3h-568w",
  "modified": "2025-03-11T18:32:09Z",
  "published": "2025-02-27T09:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13907"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/includes/class-boldgrid-backup-archive-fetcher.php#L141"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3246655"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21da92d2-c38d-4a12-b850-bd0b580aaa54?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JH9-2H63-PW4Q

Vulnerability from github – Published: 2026-05-29 20:21 – Updated: 2026-05-29 20:21
VLAI
Summary
CC-Tweaked has an SSRF Protection Bypass with NAT64
Details

Summary

CC-Tweaked's HTTP API (http.request, http.websocket) blocks requests to private network ranges to prevent server-side request forgery (SSRF). This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses (64:ff9b::/96). An attacker who can execute Lua code can reach any internal IPv4 service that the filter is intended to block, by addressing it as http://[64:ff9b::<ipv4-as-hex>]/ instead of its direct IPv4 address. This affects any CC-Tweaked deployment on a network with NAT64 routing — a configuration that is standard on AWS, GCP, and other cloud platforms when using IPv6-only subnets.

Details

The IP filter in PrivatePattern.matches() (AddressPredicate.java#L121–L130) blocks private network ranges by calling Java's standard InetAddress classification methods:

public boolean matches(InetAddress socketAddress) {
    return socketAddress.isAnyLocalAddress()
        || socketAddress.isLoopbackAddress()
        || socketAddress.isLinkLocalAddress()
        || socketAddress.isSiteLocalAddress()
        || socketAddress.isMulticastAddress()
        || isUniqueLocalAddress(socketAddress)
        || isCarrierGradeNatAddress(socketAddress)
        || additionalAddresses.contains(socketAddress);
}

When a NAT64 address such as 64:ff9b::c0a8:0101 (encoding 192.168.1.1) is resolved via new InetSocketAddress("64:ff9b::c0a8:0101", 80), Java returns an Inet6Address. Every method above returns false for this address — the 64:ff9b::/96 prefix is not recognised by any of Java's built-in classification methods. The address passes the filter and CC-Tweaked opens a connection.

On a network with a 64:ff9b::/96 → NAT Gateway route, that connection is translated at the network level: the embedded IPv4 address is extracted and the packet is forwarded to 192.168.1.1:80. The internal service receives a normal IPv4 TCP connection.

The existing 6to4 (2002::/16) mitigation in AddressRule.java#L74–L75 does not cover the NAT64 prefix. No other check catches 64:ff9b::/96.

PoC

Preconditions (all three required): 1. The server running CC-Tweaked has an IPv6 address assigned 2. The network has a NAT Gateway (or equivalent) 3. The route table contains 64:ff9b::/96 → NAT Gateway — the standard AWS/GCP configuration for IPv6-only subnets with outbound IPv4 access (AWS documentation)

Lua payload (targets an internal service at 10.0.1.17:8888):

-- 10.0.1.17 = 0x0a000111, expressed as NAT64: 64:ff9b::0a00:0111
local res = http.request("http://[64:ff9b::0a00:0111]:8888/")
if res then print(res.readAll()) end

Conversion formula — for any blocked IPv4 a.b.c.d, the bypass address is:

64:ff9b::<hex(a)><hex(b)>:<hex(c)><hex(d)>

Impact

This is a server-side request forgery (SSRF) vulnerability. Any user able to execute Lua code on a CC-Tweaked computer — including players on a public server — can use it to send HTTP requests to internal IPv4 services that the HTTP filter is designed to block. On cloud-hosted servers (AWS, GCP, Azure) using IPv6-only subnets with NAT64, which is an increasingly common configuration following AWS's February 2024 public IPv4 pricing change, this includes other instances in the VPC, internal databases, and cloud management APIs.

Suggested fix: add a check for the NAT64 well-known prefix in PrivatePattern.matches():

|| isNAT64Address(socketAddress)

private boolean isNAT64Address(InetAddress address) {
    if (!(address instanceof Inet6Address)) return false;
    byte[] b = address.getAddress();
    // 64:ff9b::/96 — NAT64 well-known prefix (RFC 6052)
    return b[0] == 0x00 && b[1] == 0x64 &&
           b[2] == (byte) 0xff && b[3] == (byte) 0x9b &&
           b[4] == 0 && b[5] == 0 && b[6] == 0 && b[7] == 0 &&
           b[8] == 0 && b[9] == 0 && b[10] == 0 && b[11] == 0;
}

This vulnerability does not seem to work on servers running on modern versions of MacOS.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cc.tweaked:cc-tweaked-1.21-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.119.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cc.tweaked:cc-tweaked-1.20.1-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.119.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cc.tweaked:cc-tweaked-1.20.4-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.119.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cc.tweaked:cc-tweaked-1.20.5-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.119.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cc.tweaked:cc-tweaked-1.20.6-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.119.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cc.tweaked:cc-tweaked-1.19.3-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.119.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cc.tweaked:cc-tweaked-1.19.4-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.119.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cc.tweaked:cc-tweaked-1.20-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.119.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T20:21:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nCC-Tweaked\u0027s HTTP API (`http.request`, `http.websocket`) blocks requests to private network ranges to prevent server-side request forgery (SSRF). This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses (`64:ff9b::/96`). An attacker who can execute Lua code can reach any internal IPv4 service that the filter is intended to block, by addressing it as `http://[64:ff9b::\u003cipv4-as-hex\u003e]/` instead of its direct IPv4 address. This affects any CC-Tweaked deployment on a network with NAT64 routing \u2014 a configuration that is standard on AWS, GCP, and other cloud platforms when using IPv6-only subnets.\n\n### Details\n\nThe IP filter in [`PrivatePattern.matches()` (AddressPredicate.java#L121\u2013L130)](https://github.com/cc-tweaked/CC-Tweaked/blob/663ffed4337da0dc3d82ace1e813e3c78b4a8c99/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java#L121-L130) blocks private network ranges by calling Java\u0027s standard `InetAddress` classification methods:\n\n```java\npublic boolean matches(InetAddress socketAddress) {\n    return socketAddress.isAnyLocalAddress()\n        || socketAddress.isLoopbackAddress()\n        || socketAddress.isLinkLocalAddress()\n        || socketAddress.isSiteLocalAddress()\n        || socketAddress.isMulticastAddress()\n        || isUniqueLocalAddress(socketAddress)\n        || isCarrierGradeNatAddress(socketAddress)\n        || additionalAddresses.contains(socketAddress);\n}\n```\n\nWhen a NAT64 address such as `64:ff9b::c0a8:0101` (encoding `192.168.1.1`) is resolved via `new InetSocketAddress(\"64:ff9b::c0a8:0101\", 80)`, Java returns an `Inet6Address`. Every method above returns `false` for this address \u2014 the `64:ff9b::/96` prefix is not recognised by any of Java\u0027s built-in classification methods. The address passes the filter and CC-Tweaked opens a connection.\n\nOn a network with a `64:ff9b::/96 \u2192 NAT Gateway` route, that connection is translated at the network level: the embedded IPv4 address is extracted and the packet is forwarded to `192.168.1.1:80`. The internal service receives a normal IPv4 TCP connection.\n\nThe existing 6to4 (`2002::/16`) mitigation in [`AddressRule.java#L74\u2013L75`](https://github.com/cc-tweaked/CC-Tweaked/blob/663ffed4337da0dc3d82ace1e813e3c78b4a8c99/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressRule.java#L74-L75) does not cover the NAT64 prefix. No other check catches `64:ff9b::/96`.\n\n### PoC\n\n**Preconditions** (all three required):\n1. The server running CC-Tweaked has an IPv6 address assigned\n2. The network has a NAT Gateway (or equivalent)\n3. The route table contains `64:ff9b::/96 \u2192 NAT Gateway` \u2014 the standard AWS/GCP configuration for IPv6-only subnets with outbound IPv4 access ([AWS documentation](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html))\n\n**Lua payload** (targets an internal service at `10.0.1.17:8888`):\n```lua\n-- 10.0.1.17 = 0x0a000111, expressed as NAT64: 64:ff9b::0a00:0111\nlocal res = http.request(\"http://[64:ff9b::0a00:0111]:8888/\")\nif res then print(res.readAll()) end\n```\n\n**Conversion formula** \u2014 for any blocked IPv4 `a.b.c.d`, the bypass address is:\n```\n64:ff9b::\u003chex(a)\u003e\u003chex(b)\u003e:\u003chex(c)\u003e\u003chex(d)\u003e\n```\n\n### Impact\n\nThis is a server-side request forgery (SSRF) vulnerability. Any user able to execute Lua code on a CC-Tweaked computer \u2014 including players on a public server \u2014 can use it to send HTTP requests to internal IPv4 services that the HTTP filter is designed to block. On cloud-hosted servers (AWS, GCP, Azure) using IPv6-only subnets with NAT64, which is an [increasingly common configuration following AWS\u0027s February 2024 public IPv4 pricing change](https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address-charge-public-ip-insights/), this includes other instances in the VPC, internal databases, and cloud management APIs.\n\n**Suggested fix:** add a check for the NAT64 well-known prefix in [`PrivatePattern.matches()`](https://github.com/cc-tweaked/CC-Tweaked/blob/663ffed4337da0dc3d82ace1e813e3c78b4a8c99/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java#L121-L130):\n\n```java\n|| isNAT64Address(socketAddress)\n\nprivate boolean isNAT64Address(InetAddress address) {\n    if (!(address instanceof Inet6Address)) return false;\n    byte[] b = address.getAddress();\n    // 64:ff9b::/96 \u2014 NAT64 well-known prefix (RFC 6052)\n    return b[0] == 0x00 \u0026\u0026 b[1] == 0x64 \u0026\u0026\n           b[2] == (byte) 0xff \u0026\u0026 b[3] == (byte) 0x9b \u0026\u0026\n           b[4] == 0 \u0026\u0026 b[5] == 0 \u0026\u0026 b[6] == 0 \u0026\u0026 b[7] == 0 \u0026\u0026\n           b[8] == 0 \u0026\u0026 b[9] == 0 \u0026\u0026 b[10] == 0 \u0026\u0026 b[11] == 0;\n}\n```\n\nThis vulnerability does not seem to work on servers running on modern versions of MacOS.",
  "id": "GHSA-5jh9-2h63-pw4q",
  "modified": "2026-05-29T20:21:12Z",
  "published": "2026-05-29T20:21:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cc-tweaked/CC-Tweaked/security/advisories/GHSA-5jh9-2h63-pw4q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cc-tweaked/CC-Tweaked"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CC-Tweaked has an SSRF Protection Bypass with NAT64"
}

GHSA-5JJ7-GJCQ-HRC8

Vulnerability from github – Published: 2024-05-15 03:30 – Updated: 2024-05-15 03:30
VLAI
Details

ITPison OMICARD EDM fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-15T03:15:14Z",
    "severity": "MODERATE"
  },
  "details": "ITPison OMICARD EDM  fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information.",
  "id": "GHSA-5jj7-gjcq-hrc8",
  "modified": "2024-05-15T03:30:45Z",
  "published": "2024-05-15T03:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4894"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-7803-c0f73-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7802-18f3c-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JM5-RWHX-QV75

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.",
  "id": "GHSA-5jm5-rwhx-qv75",
  "modified": "2022-05-24T19:15:42Z",
  "published": "2022-05-24T19:15:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41586"
    },
    {
      "type": "WEB",
      "url": "https://security.gradle.com/advisory/2021-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5JQ6-2984-JH3P

Vulnerability from github – Published: 2024-11-08 18:30 – Updated: 2024-11-08 21:33
VLAI
Details

Northern.tech Mender before 3.6.6 and 3.7.x before 3.7.7 allows SSRF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-08T16:15:23Z",
    "severity": "MODERATE"
  },
  "details": "Northern.tech Mender before 3.6.6 and 3.7.x before 3.7.7 allows SSRF.",
  "id": "GHSA-5jq6-2984-jh3p",
  "modified": "2024-11-08T21:33:57Z",
  "published": "2024-11-08T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46947"
    },
    {
      "type": "WEB",
      "url": "https://mender.io/blog/cve-2024-46947-cve-2024-47190-ssrf-issues-in-mender-enterprise-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.