CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4607 vulnerabilities reference this CWE, most recent first.
GHSA-X4QJ-2F4Q-R4RX
Vulnerability from github – Published: 2025-11-05 19:52 – Updated: 2025-11-07 20:31Impact
A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response.
Patches
The feature has been implemented in Parse Server 4.2.0 but never worked and reliably crashes the server when trying to use it due to a bug in its implementation. Since the feature is not currently working, and due to its risky nature, it has been removed to address the vulnerability.
Workarounds
None.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "7.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.4.0-alpha.1"
},
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.4.0-alpha.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64430"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-05T19:52:27Z",
"nvd_published_at": "2025-11-07T18:15:37Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server\u0027s file storage as the server crashes upon receiving the response.\n\n### Patches\n\nThe feature has been implemented in Parse Server 4.2.0 but never worked and reliably crashes the server when trying to use it due to a bug in its implementation. Since the feature is not currently working, and due to its risky nature, it has been removed to address the vulnerability.\n\n### Workarounds\n\nNone.",
"id": "GHSA-x4qj-2f4q-r4rx",
"modified": "2025-11-07T20:31:43Z",
"published": "2025-11-05T19:52:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64430"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/9903"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/9904"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/97763863b72689a29ad7a311dfb590c3e3c50585"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format"
}
GHSA-X4R9-GMW3-HXWW
Vulnerability from github – Published: 2026-06-12 18:23 – Updated: 2026-06-12 18:23Summary
A GeoServer that uses ENTITY_RESOLUTION_ALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).
Details
This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST (default since 2.25.0):
Impact
This vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.
Workaround
GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., https://somesite.org instead of https://somesite.org/ or https://somesite.org/geoserver). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
Resources
https://osgeo-org.atlassian.net/browse/GEOS-11867 https://github.com/geoserver/geoserver/pull/8622
Credits:
- Le Mau Anh Phong at Verichains Cyber Force
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.27.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "2.27.0"
},
{
"fixed": "2.27.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.27.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "2.27.0"
},
{
"fixed": "2.27.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58175"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T18:23:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).\n\n### Details\nThis vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0):\n\n### Impact\nThis vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.\n\n### Workaround\nGeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., `https://somesite.org` instead of `https://somesite.org/` or `https://somesite.org/geoserver`). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.\n\n### Resources\nhttps://osgeo-org.atlassian.net/browse/GEOS-11867\nhttps://github.com/geoserver/geoserver/pull/8622\n\n### Credits:\n- Le Mau Anh Phong at Verichains Cyber Force",
"id": "GHSA-x4r9-gmw3-hxww",
"modified": "2026-06-12T18:23:35Z",
"published": "2026-06-12T18:23:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-x4r9-gmw3-hxww"
},
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/pull/8622"
},
{
"type": "PACKAGE",
"url": "https://github.com/geoserver/geoserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution"
}
GHSA-X4VC-M5G5-663M
Vulnerability from github – Published: 2025-07-11 09:30 – Updated: 2025-07-11 09:30The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2025-6851"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T09:15:25Z",
"severity": "HIGH"
},
"details": "The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
"id": "GHSA-x4vc-m5g5-663m",
"modified": "2025-07-11T09:30:32Z",
"published": "2025-07-11T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6851"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3323864%40broken-link-notifier\u0026new=3323864%40broken-link-notifier\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f76c9f8-c57a-4875-b581-f67c9c60021c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X557-GW6M-864X
Vulnerability from github – Published: 2025-11-19 06:31 – Updated: 2025-11-19 06:31The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the 'get_image_size_by_url' function. This is due to insufficient validation of user-supplied URLs when determining image dimensions for gallery items. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2025-12359"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-19T06:15:45Z",
"severity": "MODERATE"
},
"details": "The Responsive Lightbox \u0026 Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the \u0027get_image_size_by_url\u0027 function. This is due to insufficient validation of user-supplied URLs when determining image dimensions for gallery items. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.",
"id": "GHSA-x557-gw6m-864x",
"modified": "2025-11-19T06:31:11Z",
"published": "2025-11-19T06:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12359"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-fast-image.php#L25"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-frontend.php#L1531"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-galleries.php#L3648"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/functions.php#L108"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3397940%40responsive-lightbox%2Ftrunk\u0026old=3358021%40responsive-lightbox%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://research.cleantalk.org/cve-2025-12359"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f4c0bd6-f289-4a52-ac11-345076c32d84?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X5C9-RRJF-32HG
Vulnerability from github – Published: 2024-04-18 12:30 – Updated: 2026-04-28 21:34Server-Side Request Forgery (SSRF) vulnerability in Really Simple Plugins Really Simple SSL.This issue affects Really Simple SSL: from n/a through 7.2.3.
{
"affected": [],
"aliases": [
"CVE-2024-31229"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-18T11:15:37Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in Really Simple Plugins Really Simple SSL.This issue affects Really Simple SSL: from n/a through 7.2.3.",
"id": "GHSA-x5c9-rrjf-32hg",
"modified": "2026-04-28T21:34:51Z",
"published": "2024-04-18T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31229"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/really-simple-ssl/wordpress-really-simple-ssl-plugin-7-2-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X5R2-HJ5C-8JX6
Vulnerability from github – Published: 2021-02-11 20:42 – Updated: 2025-10-22 19:05Impact
Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected.
Patches
Patched by ccd2374b, included in version 4.7.9.
Workarounds
- Use a single driver version (e.g.
adminer-mysql.php). - Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin.
References
https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
For more information
If you have any questions or comments about this advisory: * Comment at ccd2374b.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "vrana/adminer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.7.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21311"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-11T20:42:04Z",
"nvd_published_at": "2021-02-11T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nUsers of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected.\n\n### Patches\nPatched by ccd2374b, included in version [4.7.9](https://github.com/vrana/adminer/releases/tag/v4.7.9).\n\n### Workarounds\n* Use a single driver version (e.g. `adminer-mysql.php`).\n* Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP [plugin](https://www.adminer.org/plugins/).\n\n### References\nhttps://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Comment at ccd2374b.",
"id": "GHSA-x5r2-hj5c-8jx6",
"modified": "2025-10-22T19:05:30Z",
"published": "2021-02-11T20:42:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21311"
},
{
"type": "WEB",
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"type": "PACKAGE",
"url": "https://github.com/vrana/adminer"
},
{
"type": "WEB",
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/vrana/adminer"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/adminer/news/2021/02/adminer-479-released"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21311"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H",
"type": "CVSS_V3"
}
],
"summary": "SSRF in adminer"
}
GHSA-X5VX-VRPF-R45F
Vulnerability from github – Published: 2026-04-01 21:08 – Updated: 2026-04-01 21:08Summary
The EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services.
Details
When a user adds or edits a video, the EPG link is stored via objects/videoAddNew.json.php:119:
$obj->setEpg_link($_POST['epg_link']);
The only validation applied is FILTER_VALIDATE_URL, which accepts URLs targeting internal addresses such as http://127.0.0.1, http://169.254.169.254, or http://10.0.0.1.
Later, when the EPG data is parsed, the stored URL is fetched server-side at objects/EpgParser.php:358:
$this->content = @\file_get_contents($this->url);
The file_get_contents() function follows redirects and supports multiple protocols including http://, https://, ftp://, and depending on PHP configuration, php:// and other stream wrappers.
The codebase contains an isSSRFSafeURL() function that validates URLs against internal network ranges, but this function is not invoked anywhere in the EPG link processing path.
Because the URL is stored in the database, every subsequent visit to the EPG page re-triggers the server-side request. This makes the SSRF persistent and repeatable without further attacker interaction.
Proof of Concept
-
Authenticate as a user with upload permissions.
-
Create or edit a video and set the EPG link to an internal target:
# Target the cloud metadata service
curl -b "PHPSESSID=USER_SESSION" \
-X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \
-d "title=Test+Video&epg_link=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
- Trigger the EPG parser by visiting the video's EPG page, or wait for the next page load that processes EPG data:
curl -b "PHPSESSID=USER_SESSION" \
"https://your-avideo-instance.com/plugin/Live/view/Live_schedule/?videos_id=VIDEO_ID"
- To scan internal ports, set the EPG link to various internal addresses:
# Scan an internal service
curl -b "PHPSESSID=USER_SESSION" \
-X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \
-d "title=Test+Video&epg_link=http://127.0.0.1:6379/"
- The server fetches the URL via
file_get_contents(). Response differences (timing, error messages, or returned content via EPG display) reveal whether internal services are running.
Impact
An authenticated user with upload permissions can force the AVideo server to make HTTP requests to arbitrary internal and external targets. This enables scanning of internal networks, access to cloud instance metadata (potentially exposing IAM credentials on AWS/GCP/Azure), and interaction with internal services that are not intended to be externally accessible. The stored nature of this SSRF means it re-executes on every page visit, amplifying the impact.
- CWE-918: Server-Side Request Forgery (SSRF)
- Severity: Medium
Recommended Fix
Add an isSSRFSafeURL() check before the file_get_contents() call at objects/EpgParser.php:355:
if (function_exists('isSSRFSafeURL') && !isSSRFSafeURL($this->url)) {
throw new \RuntimeException('URL blocked by SSRF protection');
}
This reuses the existing SSRF protection function that is already applied in other code paths.
Found by aisafe.io
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34740"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T21:08:40Z",
"nvd_published_at": "2026-03-31T21:16:32Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP\u0027s `FILTER_VALIDATE_URL`, which accepts internal network addresses. Although AVideo has a dedicated `isSSRFSafeURL()` function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services.\n\n## Details\n\nWhen a user adds or edits a video, the EPG link is stored via `objects/videoAddNew.json.php:119`:\n\n```php\n$obj-\u003esetEpg_link($_POST[\u0027epg_link\u0027]);\n```\n\nThe only validation applied is `FILTER_VALIDATE_URL`, which accepts URLs targeting internal addresses such as `http://127.0.0.1`, `http://169.254.169.254`, or `http://10.0.0.1`.\n\nLater, when the EPG data is parsed, the stored URL is fetched server-side at `objects/EpgParser.php:358`:\n\n```php\n$this-\u003econtent = @\\file_get_contents($this-\u003eurl);\n```\n\nThe `file_get_contents()` function follows redirects and supports multiple protocols including `http://`, `https://`, `ftp://`, and depending on PHP configuration, `php://` and other stream wrappers.\n\nThe codebase contains an `isSSRFSafeURL()` function that validates URLs against internal network ranges, but this function is not invoked anywhere in the EPG link processing path.\n\nBecause the URL is stored in the database, every subsequent visit to the EPG page re-triggers the server-side request. This makes the SSRF persistent and repeatable without further attacker interaction.\n\n## Proof of Concept\n\n1. Authenticate as a user with upload permissions.\n\n2. Create or edit a video and set the EPG link to an internal target:\n\n```bash\n# Target the cloud metadata service\ncurl -b \"PHPSESSID=USER_SESSION\" \\\n -X POST \"https://your-avideo-instance.com/objects/videoAddNew.json.php\" \\\n -d \"title=Test+Video\u0026epg_link=http://169.254.169.254/latest/meta-data/iam/security-credentials/\"\n```\n\n3. Trigger the EPG parser by visiting the video\u0027s EPG page, or wait for the next page load that processes EPG data:\n\n```bash\ncurl -b \"PHPSESSID=USER_SESSION\" \\\n \"https://your-avideo-instance.com/plugin/Live/view/Live_schedule/?videos_id=VIDEO_ID\"\n```\n\n4. To scan internal ports, set the EPG link to various internal addresses:\n\n```bash\n# Scan an internal service\ncurl -b \"PHPSESSID=USER_SESSION\" \\\n -X POST \"https://your-avideo-instance.com/objects/videoAddNew.json.php\" \\\n -d \"title=Test+Video\u0026epg_link=http://127.0.0.1:6379/\"\n```\n\n5. The server fetches the URL via `file_get_contents()`. Response differences (timing, error messages, or returned content via EPG display) reveal whether internal services are running.\n\n## Impact\n\nAn authenticated user with upload permissions can force the AVideo server to make HTTP requests to arbitrary internal and external targets. This enables scanning of internal networks, access to cloud instance metadata (potentially exposing IAM credentials on AWS/GCP/Azure), and interaction with internal services that are not intended to be externally accessible. The stored nature of this SSRF means it re-executes on every page visit, amplifying the impact.\n\n- **CWE-918**: Server-Side Request Forgery (SSRF)\n- **Severity**: Medium\n\n## Recommended Fix\n\nAdd an `isSSRFSafeURL()` check before the `file_get_contents()` call at `objects/EpgParser.php:355`:\n\n```php\nif (function_exists(\u0027isSSRFSafeURL\u0027) \u0026\u0026 !isSSRFSafeURL($this-\u003eurl)) {\n throw new \\RuntimeException(\u0027URL blocked by SSRF protection\u0027);\n}\n```\n\nThis reuses the existing SSRF protection function that is already applied in other code paths.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
"id": "GHSA-x5vx-vrpf-r45f",
"modified": "2026-04-01T21:08:40Z",
"published": "2026-04-01T21:08:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x5vx-vrpf-r45f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34740"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/677d1a314d46abce457c7b662afbb58b0d9f17a2"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation"
}
GHSA-X63R-JX45-482M
Vulnerability from github – Published: 2026-03-09 18:31 – Updated: 2026-03-11 15:31An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master.
{
"affected": [],
"aliases": [
"CVE-2025-70042"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-09T16:16:15Z",
"severity": "CRITICAL"
},
"details": "An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master.",
"id": "GHSA-x63r-jx45-482m",
"modified": "2026-03-11T15:31:36Z",
"published": "2026-03-09T18:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70042"
},
{
"type": "WEB",
"url": "https://gist.github.com/zcxlighthouse/5a6d15611456de619e4be36f7d2a0ee7"
},
{
"type": "WEB",
"url": "https://github.com/oslabs-beta"
},
{
"type": "WEB",
"url": "https://github.com/oslabs-beta/ThermaKube"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X698-9G95-CHP7
Vulnerability from github – Published: 2023-06-08 21:30 – Updated: 2024-04-04 04:40Pydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells.
{
"affected": [],
"aliases": [
"CVE-2023-32750"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-08T21:15:17Z",
"severity": "MODERATE"
},
"details": "Pydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job \"remote-download\" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells.",
"id": "GHSA-x698-9g95-chp7",
"modified": "2024-04-04T04:40:57Z",
"published": "2023-06-08T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32750"
},
{
"type": "WEB",
"url": "https://www.redteam-pentesting.de/advisories/rt-sa-2023-005"
},
{
"type": "WEB",
"url": "https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X6F8-H6VP-666P
Vulnerability from github – Published: 2025-08-26 00:31 – Updated: 2025-08-26 18:31Rebuild v3.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the type parameter in the com.rebuild.web.admin.rbstore.RBStoreController#loadDataIndex method.
{
"affected": [],
"aliases": [
"CVE-2024-46413"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-25T15:15:35Z",
"severity": "MODERATE"
},
"details": "Rebuild v3.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the type parameter in the com.rebuild.web.admin.rbstore.RBStoreController#loadDataIndex method.",
"id": "GHSA-x6f8-h6vp-666p",
"modified": "2025-08-26T18:31:14Z",
"published": "2025-08-26T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46413"
},
{
"type": "WEB",
"url": "https://github.com/RacerZ-fighting/CVE-vulns/blob/main/rebuild%203.7.7.md"
},
{
"type": "WEB",
"url": "https://github.com/RacerZ-fighting/rebuild-vulns/blob/main/rebuild%203.7.7.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.