CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4620 vulnerabilities reference this CWE, most recent first.
GHSA-WC4H-2348-JC3P
Vulnerability from github – Published: 2026-04-03 03:30 – Updated: 2026-04-06 23:41Summary
Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client.
Attacker outcome : Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view).
Go’s default http.Client follows redirects (unless disabled). Redirect chains can move the server-side request from an allowed-looking host to an internal target; the code does not disable this in SendRequest.
Affected Components
Ech0 codebase:
-
internal/handler/common/common.go
Handles the/api/website/titleendpoint and accepts user-controlled URL input. -
internal/service/common/common.go
Processes the request and invokes the outbound HTTP fetch (GetWebsiteTitle). -
internal/util/http/http.go
Performs the HTTP request (SendRequest) with the following insecure configurations: - No URL validation or allowlist
- Redirects enabled (default client behavior)
InsecureSkipVerify: true
PoC
Environment: Ech0 listening on http://127.0.0.1:6277 (e.g. Docker image sn0wl1n/ech0:latest). No cookies or Authorization header.
Step 1 — baseline: unauthenticated server-side fetch (public URL):
curl.exe -sS -m 20 "http://127.0.0.1:6277/api/website/title?website_url=https://example.com"
Observed result (verified): HTTP 200, JSON with code: 1 and data Example Domain — proves the Ech0 process performed an outbound GET without any client auth.
Step 2 — impact: host-bound page + recorded leak (repo PoC file)
Committed PoC page: poc_ssrf_proof.html
- From
poc file directory, listen on 0.0.0.0 (port 9999):
python -m http.server 9999 --bind 0.0.0.0
- Docker Desktop (Windows / macOS): Ech0 in Docker fetches the host via
host.docker.internal:
curl.exe -sS -m 20 "http://127.0.0.1:6277/api/website/title?website_url=http://host.docker.internal:9999/poc_ssrf_proof.html"
Recorded response (verified this workspace, Ech0 4.2.2 in Docker):
{"code":1,"msg":"获取网站标题成功","data":"ECH0_SSRF_POC_LEAK_2026"}
Python server log: GET /poc_ssrf_proof.html → 200 (proves the server/container pulled the page from your host).
Leak channel: the backend reads the full HTML body before parsing (see io.ReadAll in SendRequest).
Impact
- Verified: Unauthenticated callers can make the Ech0 process issue server-side HTTP(S) requests to internal/reserved targets reachable from that process (PoC Step 2: host-reachable listener reflected in JSON).
- Code-level: The full response is read into memory (
io.ReadAll); only the title string is returned. Combined with default HTTP redirect following (standardhttp.Clientbehavior; not disabled here), the effective request graph is larger than a single URL. - TLS:
InsecureSkipVerify: truemeans misissued or intercepted TLS to internal HTTPS services is still accepted from the server’s perspective. - Deployment-dependent: Where routing allows (typical cloud VMs),
169.254.169.254-class endpoints are in scope for the same code path; treat as *high. - DOS(Denial of Service): reading the whole body into memory with io.ReadAll is a DoS vector if you point it at a massive file.
Remediation
- Enforce SSRF-safe URL policy: allow only needed schemes/hosts; block link-local, metadata, and loopback unless explicitly required.
- Remove
InsecureSkipVerify; use normal TLS verification. - Limit redirects (disable or cap hops; re-validate each target).
- Add response size / timeout limits; optionally restrict egress at the network layer.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lin-snow/ech0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.8-0.20260401031029-4ca56fea5ba4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35036"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:30:53Z",
"nvd_published_at": "2026-04-06T17:17:12Z",
"severity": "HIGH"
},
"details": "### Summary\n\nEch0 implements **link preview** (editor fetches a page title) through **`GET /api/website/title`**. That is **legitimate product behavior**, but the implementation is **unsafe**: the route is **unauthenticated**, accepts a **fully attacker-controlled URL**, performs a **server-side GET**, reads the **entire response body** into memory (`io.ReadAll`). There is **no** host allowlist, **no** SSRF filter, and **`InsecureSkipVerify: true`** on the outbound client.\n\n**Attacker outcome :** Anyone who can reach the instance can **force the Ech0 server** to open **HTTP/HTTPS URLs of their choice** as seen from the **server\u2019s network position** (Docker bridge, VPC, localhost from the process view). \nGo\u2019s default `http.Client` **follows redirects** (unless disabled). Redirect chains can move the server-side request from an allowed-looking host to an internal target; the code does not disable this in `SendRequest`.\n\n### Affected Components\n\n**Ech0 codebase:**\n\n- `internal/handler/common/common.go` \n Handles the `/api/website/title` endpoint and accepts user-controlled URL input.\n\n- `internal/service/common/common.go` \n Processes the request and invokes the outbound HTTP fetch (`GetWebsiteTitle`).\n\n- `internal/util/http/http.go` \n Performs the HTTP request (`SendRequest`) with the following insecure configurations:\n - No URL validation or allowlist\n - Redirects enabled (default client behavior)\n - `InsecureSkipVerify: true`\n\n### PoC \n\n**Environment:** Ech0 listening on `http://127.0.0.1:6277` (e.g. Docker image `sn0wl1n/ech0:latest`). No cookies or `Authorization` header.\n\n**Step 1 \u2014 baseline: unauthenticated server-side fetch (public URL):**\n\n```bash\ncurl.exe -sS -m 20 \"http://127.0.0.1:6277/api/website/title?website_url=https://example.com\"\n```\n\n**Observed result (verified):** HTTP 200, JSON with `code: 1` and `data` **`Example Domain`** \u2014 proves the **Ech0 process** performed an outbound GET without any client auth.\n\n**Step 2 \u2014 impact: host-bound page + recorded leak (repo PoC file)**\nCommitted PoC page: **`poc_ssrf_proof.html`** \n\n1. From **`poc file directory`**, listen on **0.0.0.0** (port **9999**):\n\n```bash\npython -m http.server 9999 --bind 0.0.0.0\n```\n\n2. **Docker Desktop (Windows / macOS):** Ech0 in Docker fetches the host via `host.docker.internal`:\n\n```bash\ncurl.exe -sS -m 20 \"http://127.0.0.1:6277/api/website/title?website_url=http://host.docker.internal:9999/poc_ssrf_proof.html\"\n```\n\n**Recorded response (verified this workspace, Ech0 4.2.2 in Docker):**\n\n```json\n{\"code\":1,\"msg\":\"\u83b7\u53d6\u7f51\u7ad9\u6807\u9898\u6210\u529f\",\"data\":\"ECH0_SSRF_POC_LEAK_2026\"}\n```\n\n**Python server log:** `GET /poc_ssrf_proof.html` \u2192 **200** (proves the **server/container** pulled the page from your host).\n\n**Leak channel:** the backend **reads the full HTML body** before parsing (see `io.ReadAll` in `SendRequest`).\n\n\n### Impact\n\n- **Verified:** Unauthenticated callers can make the Ech0 process issue **server-side HTTP(S) requests** to **internal/reserved targets** reachable from that process (PoC Step 2: host-reachable listener reflected in JSON).\n- **Code-level:** The full response is **read into memory** (`io.ReadAll`); only the title string is returned. Combined with **default HTTP redirect following** (standard `http.Client` behavior; not disabled here), the effective request graph is larger than a single URL.\n- **TLS:** `InsecureSkipVerify: true` means **misissued or intercepted TLS** to internal HTTPS services is still accepted from the server\u2019s perspective.\n- **Deployment-dependent:** Where routing allows (typical cloud VMs), **`169.254.169.254`-class** endpoints are in scope for the **same code path**; treat as **high*.\n- **DOS(Denial of Service)**: reading the whole body into memory with io.ReadAll is a DoS vector if you point it at a massive file.\n\n\n## Remediation\n\n- Enforce **SSRF-safe URL policy**: allow only needed schemes/hosts; block link-local, metadata, and loopback unless explicitly required.\n- Remove **`InsecureSkipVerify`**; use normal TLS verification.\n- **Limit redirects** (disable or cap hops; re-validate each target).\n- Add **response size / timeout** limits; optionally restrict egress at the **network** layer.",
"id": "GHSA-wc4h-2348-jc3p",
"modified": "2026-04-06T23:41:04Z",
"published": "2026-04-03T03:30:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35036"
},
{
"type": "PACKAGE",
"url": "https://github.com/lin-snow/Ech0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature"
}
GHSA-WC5H-762J-W3CX
Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-05 00:00IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433.
{
"affected": [],
"aliases": [
"CVE-2022-31776"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-01T11:15:00Z",
"severity": "HIGH"
},
"details": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433.",
"id": "GHSA-wc5h-762j-w3cx",
"modified": "2022-08-05T00:00:24Z",
"published": "2022-08-02T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31776"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228433"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6608604"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WC5M-7WGP-F4F3
Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-10-09 18:30Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The '/var/www/app/console_release/hp/badgeSetup.php' script is reachable from the Internet without any authentication and builds URLs from user‑controlled parameters before invoking either the custom processCurl() function or PHP’s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP‑range validation, or outbound‑network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
{
"affected": [],
"aliases": [
"CVE-2025-34231"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-29T21:15:36Z",
"severity": "HIGH"
},
"details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The \u0027/var/www/app/console_release/hp/badgeSetup.php\u0027 script is reachable from the Internet without any authentication and builds URLs from user\u2011controlled parameters before invoking either the custom processCurl() function or PHP\u2019s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP\u2011range validation, or outbound\u2011network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.",
"id": "GHSA-wc5m-7wgp-f4f3",
"modified": "2025-10-09T18:30:27Z",
"published": "2025-09-29T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34231"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-07"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-hp-badgesetup-php-script"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WC9W-WVQ2-FFM9
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-10-02 14:34The avatar feature in Grafana (github.com/grafana/grafana/pkg/api/avatar) 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.1"
},
{
"fixed": "6.7.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-13379"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-14T16:27:02Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The avatar feature in Grafana (github.com/grafana/grafana/pkg/api/avatar) 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.",
"id": "GHSA-wc9w-wvq2-ffm9",
"modified": "2023-10-02T14:34:31Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13379"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48638"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200608-0006"
},
{
"type": "WEB",
"url": "https://rhynorater.github.io/CVE-2020-13379-Write-Up"
},
{
"type": "WEB",
"url": "https://mostwanted002.cf/post/grafanados"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E"
},
{
"type": "WEB",
"url": "https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix"
},
{
"type": "WEB",
"url": "https://community.grafana.com/t/release-notes-v7-0-x/29381"
},
{
"type": "WEB",
"url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"
},
{
"type": "WEB",
"url": "https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/06/03/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/06/09/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:F/RL:O/RC:C",
"type": "CVSS_V3"
}
],
"summary": "Server Side Request Forgery in Grafana"
}
GHSA-WCCC-W6WF-GHF3
Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 s vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
{
"affected": [],
"aliases": [
"CVE-2025-36324"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T21:16:29Z",
"severity": "MODERATE"
},
"details": "IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 s vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.",
"id": "GHSA-wccc-w6wf-ghf3",
"modified": "2026-06-30T21:31:45Z",
"published": "2026-06-30T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36324"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7277801"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCFM-9Q6F-MXPX
Vulnerability from github – Published: 2025-06-17 21:32 – Updated: 2025-06-17 21:32A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modTMSM component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.
{
"affected": [],
"aliases": [
"CVE-2025-30678"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-17T20:15:31Z",
"severity": "MODERATE"
},
"details": "A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modTMSM component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.",
"id": "GHSA-wcfm-9q6f-mxpx",
"modified": "2025-06-17T21:32:30Z",
"published": "2025-06-17T21:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30678"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/en-US/solution/KA-0019355"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-236"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCH2-934C-QJ79
Vulnerability from github – Published: 2025-03-22 12:30 – Updated: 2025-03-22 12:30The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2025-1970"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-22T12:15:25Z",
"severity": "HIGH"
},
"details": "The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
"id": "GHSA-wch2-934c-qj79",
"modified": "2025-03-22T12:30:22Z",
"published": "2025-03-22T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1970"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/import/classes/class-import-ajax.php#L175"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3259688"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a4d7d40-8e0e-4251-8e25-3fd4ebd3a93e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCRF-5VR8-VWJP
Vulnerability from github – Published: 2026-01-02 00:30 – Updated: 2026-01-02 00:30A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/git_fetcher.go of the component Theme Fetching API. Executing manipulation of the argument uri can lead to server-side request forgery. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-15414"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-01T22:15:42Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/git_fetcher.go of the component Theme Fetching API. Executing manipulation of the argument uri can lead to server-side request forgery. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-wcrf-5vr8-vwjp",
"modified": "2026-01-02T00:30:25Z",
"published": "2026-01-02T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15414"
},
{
"type": "WEB",
"url": "https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ"
},
{
"type": "WEB",
"url": "https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ#-span--strong-proof-of-concept---strong---span-"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.339335"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.339335"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.719789"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WFGJ-WRGH-H3R3
Vulnerability from github – Published: 2024-03-22 23:54 – Updated: 2025-06-30 19:03Summary
While examining the "App Link assetlinks.json file could not be found" vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the "/.well-known/assetlinks.json" endpoint for all hosts written with "android:host". In the AndroidManifest.xml file.
Since MobSF does not perform any input validation when extracting the hostnames in "android:host", requests can also be sent to local hostnames. This may cause SSRF vulnerability.
Details
Example <intent-filter structure in AndroidManifest.xml:
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:host="192.168.1.102/user/delete/1#" android:scheme="http" />
</intent-filter>
We defined it as android:host="192.168.1.102/user/delete/1#". Here, the "#" character at the end of the host prevents requests from being sent to the "/.well-known/assetlinks.json" endpoint and ensures that requests are sent to the endpoint before it.
PoC
https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link
Impact
The attacker can cause the server to make a connection to internal-only services within the organization's infrastructure.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mobsfscan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29190"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-22T23:54:53Z",
"nvd_published_at": "2024-03-22T23:15:07Z",
"severity": "HIGH"
},
"details": "### Summary\nWhile examining the \"App Link assetlinks.json file could not be found\" vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the \"/.well-known/assetlinks.json\" endpoint for all hosts written with \"android:host\". In the AndroidManifest.xml file.\n\nSince MobSF does not perform any input validation when extracting the hostnames in \"android:host\", requests can also be sent to local hostnames. This may cause SSRF vulnerability.\n\n### Details\nExample \u003cintent-filter structure in AndroidManifest.xml:\n\n```\n\u003cintent-filter android:autoVerify=\"true\"\u003e\n\u003caction android:name=\"android.intent.action.VIEW\" /\u003e\n\u003ccategory android:name=\"android.intent.category.DEFAULT\" /\u003e\n\u003ccategory android:name=\"android.intent.category.BROWSABLE\" /\u003e\n\u003cdata android:host=\"192.168.1.102/user/delete/1#\" android:scheme=\"http\" /\u003e\n\u003c/intent-filter\u003e\n```\n\n\nWe defined it as android:host=\"192.168.1.102/user/delete/1#\". Here, the \"#\" character at the end of the host prevents requests from being sent to the \"/.well-known/assetlinks.json\" endpoint and ensures that requests are sent to the endpoint before it.\n\n\n\u003cimg width=\"617\" alt=\"image\" src=\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/assets/150332295/c570cb00-e947-4ad7-af80-26d46c0ad3f7\"\u003e\n\n\n### PoC\nhttps://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link\n\n\n### Impact\nThe attacker can cause the server to make a connection to internal-only services within the organization\u0027s infrastructure.",
"id": "GHSA-wfgj-wrgh-h3r3",
"modified": "2025-06-30T19:03:32Z",
"published": "2024-03-22T23:54:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29190"
},
{
"type": "WEB",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/5a8eeee73c5f504a6c3abdf2a139a13804efdb77"
},
{
"type": "WEB",
"url": "https://github.com/MobSF/mobsfscan/commit/61fd40b477bbf9d204eb8c5a83a86c396d839798"
},
{
"type": "WEB",
"url": "https://github.com/MobSF/mobsfscan/commit/cd01b71770a6e56c1c71b0e5f454e7b6c9c64ef4"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link"
},
{
"type": "PACKAGE",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mobsf/PYSEC-2024-257.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "SSRF Vulnerability on assetlinks_check(act_name, well_knowns)"
}
GHSA-WFHV-4QH5-C632
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-13 00:01A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.
{
"affected": [],
"aliases": [
"CVE-2022-26135"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-30T06:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.",
"id": "GHSA-wfhv-4qh5-c632",
"modified": "2022-07-13T00:01:56Z",
"published": "2022-07-01T00:01:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26135"
},
{
"type": "WEB",
"url": "https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JRASERVER-73863"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11840"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.