CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4640 vulnerabilities reference this CWE, most recent first.
GHSA-QMW5-54CP-96W5
Vulnerability from github – Published: 2025-11-18 09:30 – Updated: 2025-11-18 09:30The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the url parameter in the [syndicate_local] shortcode. This is due to the use of wp_remote_get() instead of wp_safe_remote_get() which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks.
{
"affected": [],
"aliases": [
"CVE-2025-12962"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T09:15:49Z",
"severity": "MODERATE"
},
"details": "The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_safe_remote_get()` which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks.",
"id": "GHSA-qmw5-54cp-96w5",
"modified": "2025-11-18T09:30:52Z",
"published": "2025-11-18T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12962"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L41"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L64"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7774cdfd-622a-4608-9efd-273923a0d0aa?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QP2P-M8V3-MGHG
Vulnerability from github – Published: 2022-10-14 12:00 – Updated: 2022-10-14 12:00ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.
{
"affected": [],
"aliases": [
"CVE-2022-41495"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-13T21:15:00Z",
"severity": "CRITICAL"
},
"details": "ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.",
"id": "GHSA-qp2p-m8v3-mghg",
"modified": "2022-10-14T12:00:17Z",
"published": "2022-10-14T12:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41495"
},
{
"type": "WEB",
"url": "https://github.com/jayus0821/insight/blob/master/ClipperCMS%20SSRF2.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QP4C-XG64-7C6X
Vulnerability from github – Published: 2026-03-12 14:51 – Updated: 2026-04-15 20:46Impact
A Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD
metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects.
The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly
enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.
### Patches
Patched in @backstage/plugin-auth-backend version 0.27.1. The fix disables HTTP redirect following when fetching CIMD metadata documents.
### Workarounds
Disable the experimental CIMD feature by removing or setting auth.experimentalClientIdMetadataDocuments.enabled to false in your app-config. This is the default configuration.
Alternatively, restrict allowedClientIdPatterns to specific trusted domains rather than using the default wildcard pattern.
### References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@backstage/plugin-auth-backend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.27.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32236"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:51:02Z",
"nvd_published_at": "2026-03-12T19:16:18Z",
"severity": "LOW"
},
"details": "### Impact \n \n A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD \n metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects.\n \n The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly\n enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected.\n\n ### Patches\n\n Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents.\n\n ### Workarounds\n\n Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration.\n Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern.\n\n ### References\n\n - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)\n - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)",
"id": "GHSA-qp4c-xg64-7c6x",
"modified": "2026-04-15T20:46:59Z",
"published": "2026-03-12T14:51:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-qp4c-xg64-7c6x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32236"
},
{
"type": "WEB",
"url": "https://github.com/backstage/backstage/commit/17038abf2dfdb4abc08a59b1c95af39851de0e07"
},
{
"type": "PACKAGE",
"url": "https://github.com/backstage/backstage"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch"
}
GHSA-QP8J-P87F-C8CC
Vulnerability from github – Published: 2025-04-07 16:54 – Updated: 2025-04-10 01:55Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System
Disclaimer
This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.
Description
A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. The vulnerability exists in the LNURL authentication callback process where the application makes HTTP requests to user-provided callback URLs and follows redirects without proper validation.
When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.
This vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal network locations, potentially exposing sensitive information or accessing internal services that should not be accessible from the internet.
Steps to Reproduce
- Create a new wallet account to get an admin key:
curl -X POST http://target:5000/api/v1/account -d '{"name":"test"}'
- Use the obtained admin key to send a crafted LNURL authentication request:
curl -X POST http://target:5000/api/v1/lnurlauth \
-H "X-Api-Key: <admin_key>" \
-H "Content-Type: application/json" \
-d '{
"callback": "http://target-internal-server/?tag=login&k1=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
"k1": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
"sig": "0"*128,
"key": "0"*64
}'
The application will make an HTTP request to the internal URL specified in the callback parameter and return its contents in the response, allowing access to internal resources that should not be accessible.
Mitigations
- Implement strict URL validation for callback URLs, ensuring they only point to allowed domains and networks.
- Use a whitelist of allowed domains and IP ranges for callback URLs.
- Disable redirect following in HTTP requests or implement strict redirect validation.
- Consider using a proxy service that restricts access to internal networks when making external HTTP requests.
Impact
This vulnerability allows authenticated attackers to access internal network resources that should not be accessible from the internet. While authentication is required to exploit this vulnerability, any user who can create a wallet gets the necessary access level. The vulnerability can be used to read internal files, access internal services, and potentially expose sensitive information from the internal network.
Disclosure Policy
This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lnbits"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.12.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32013"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-07T16:54:36Z",
"nvd_published_at": "2025-04-06T20:15:15Z",
"severity": "CRITICAL"
},
"details": "# Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System\n\n## Disclaimer\n\nThis vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.\n\n## Description\n\nA Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits\u0027 LNURL authentication handling functionality. The vulnerability exists in the LNURL authentication callback process where the application makes HTTP requests to user-provided callback URLs and follows redirects without proper validation.\n\nWhen processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn\u0027t properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.\n\nThis vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal network locations, potentially exposing sensitive information or accessing internal services that should not be accessible from the internet.\n\n## Steps to Reproduce\n\n1. Create a new wallet account to get an admin key:\n\n```\ncurl -X POST http://target:5000/api/v1/account -d \u0027{\"name\":\"test\"}\u0027\n```\n\n2. Use the obtained admin key to send a crafted LNURL authentication request:\n\n```\ncurl -X POST http://target:5000/api/v1/lnurlauth \\\n -H \"X-Api-Key: \u003cadmin_key\u003e\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"callback\": \"http://target-internal-server/?tag=login\u0026k1=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\",\n \"k1\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\",\n \"sig\": \"0\"*128,\n \"key\": \"0\"*64\n }\u0027\n```\n\nThe application will make an HTTP request to the internal URL specified in the callback parameter and return its contents in the response, allowing access to internal resources that should not be accessible.\n\n## Mitigations\n\n- Implement strict URL validation for callback URLs, ensuring they only point to allowed domains and networks.\n- Use a whitelist of allowed domains and IP ranges for callback URLs.\n- Disable redirect following in HTTP requests or implement strict redirect validation.\n- Consider using a proxy service that restricts access to internal networks when making external HTTP requests.\n\n## Impact\n\nThis vulnerability allows authenticated attackers to access internal network resources that should not be accessible from the internet. While authentication is required to exploit this vulnerability, any user who can create a wallet gets the necessary access level. The vulnerability can be used to read internal files, access internal services, and potentially expose sensitive information from the internal network.\n\n## Disclosure Policy\n\nThis bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.",
"id": "GHSA-qp8j-p87f-c8cc",
"modified": "2025-04-10T01:55:57Z",
"published": "2025-04-07T16:54:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32013"
},
{
"type": "PACKAGE",
"url": "https://github.com/lnbits/lnbits"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/lnbits/PYSEC-2025-16.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback"
}
GHSA-QPJ9-QCWX-8JV2
Vulnerability from github – Published: 2025-06-19 14:29 – Updated: 2025-06-20 14:19Impact
What kind of vulnerability is it? Who is impacted?
In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack.
This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system.
The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.
Am I impacted?
You are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.
Patches
com.powsybl:powsybl-commons:6.7.2 and higher
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.7.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.powsybl:powsybl-commons"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47293"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-19T14:29:40Z",
"nvd_published_at": "2025-06-19T22:15:19Z",
"severity": "LOW"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nIn certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack.\nThis allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system.\nThe vulnerable class is `com.powsybl.commons.xml.XmlReader` which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.\n\n#### Am I impacted?\nYou are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.\n\n### Patches\ncom.powsybl:powsybl-commons:6.7.2 and higher\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
"id": "GHSA-qpj9-qcwx-8jv2",
"modified": "2025-06-20T14:19:17Z",
"published": "2025-06-19T14:29:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-qpj9-qcwx-8jv2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47293"
},
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/commit/e6c7c4997ae8758b54a2f23ce1a499e25113acdc"
},
{
"type": "PACKAGE",
"url": "https://github.com/powsybl/powsybl-core"
},
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "PowSyBl Core XML Reader allows XXE and SSRF"
}
GHSA-QPR4-C339-7VQ8
Vulnerability from github – Published: 2025-09-04 19:24 – Updated: 2025-09-05 16:10Summary
When using Astro's Cloudflare adapter (@astrojs/cloudflare) configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served.
Details
On-demand rendered sites built with Astro include an /_image endpoint, which returns optimized versions of images.
The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).
However, a bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin.
PoC
-
Create a new minimal Astro project (
astro@5.13.3) -
Configure it to use the Cloudflare adapter (
@astrojs/cloudflare@12.6.5) and server output:
```js // astro.config.mjs import { defineConfig } from 'astro/config'; import cloudflare from '@astrojs/cloudflare';
export default defineConfig({ output: 'server', adapter: cloudflare(), }); ```
-
Deploy to Cloudflare Pages or Workers
-
Append
/_image?href=https://placehold.co/600x400to the deployment URL. -
This will serve the placeholder image from the unauthorised
placehold.codomain.
Impact
Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized content. This includes the risk of server-side request forgery (SSRF) and by extension cross-site scripting (XSS) if a user follows a link to a maliciously crafted URL.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@astrojs/cloudflare"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.3"
},
{
"fixed": "12.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58179"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-04T19:24:11Z",
"nvd_published_at": "2025-09-05T00:15:32Z",
"severity": "HIGH"
},
"details": "### Summary\n\nWhen using Astro\u0027s Cloudflare adapter (`@astrojs/cloudflare`) configured with `output: \u0027server\u0027` while using the default `imageService: \u0027compile\u0027`, the generated image optimization endpoint doesn\u0027t check the URLs it receives, allowing content from unauthorized third-party domains to be served.\n\n### Details\n\nOn-demand rendered sites built with Astro include an `/_image` endpoint, which returns optimized versions of images.\n\nThe `/_image` endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the [`image.domains`](https://docs.astro.build/en/reference/configuration-reference/#imagedomains) or [`image.remotePatterns`](https://docs.astro.build/en/reference/configuration-reference/#imageremotepatterns) options).\n\nHowever, a bug in impacted versions of the `@astrojs/cloudflare` adapter for deployment on Cloudflare\u2019s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin.\n\n### PoC\n\n1. Create a new minimal Astro project (`astro@5.13.3`)\n\n2. Configure it to use the Cloudflare adapter (`@astrojs/cloudflare@12.6.5`) and server output:\n\n ```js\n // astro.config.mjs\n import { defineConfig } from \u0027astro/config\u0027;\n import cloudflare from \u0027@astrojs/cloudflare\u0027;\n\n export default defineConfig({\n output: \u0027server\u0027,\n adapter: cloudflare(),\n });\n ```\n\n3. Deploy to Cloudflare Pages or Workers\n\n4. Append `/_image?href=https://placehold.co/600x400` to the deployment URL.\n\n7. This will serve the placeholder image from the unauthorised `placehold.co` domain.\n\n### Impact\n\nAllows a non-authorized third-party to create URLs on an impacted site\u2019s origin that serve unauthorized content. This includes the risk of server-side request forgery (SSRF) and by extension cross-site scripting (XSS) if a user follows a link to a maliciously crafted URL.",
"id": "GHSA-qpr4-c339-7vq8",
"modified": "2025-09-05T16:10:42Z",
"published": "2025-09-04T19:24:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-qpr4-c339-7vq8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58179"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter"
}
GHSA-QQ22-JJ8X-4WWV
Vulnerability from github – Published: 2024-05-03 20:29 – Updated: 2025-02-21 16:11Impact
An authenticated user who has access to a game server is able to bypass the previously implemented access control (https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.
Workarounds
Enabling the api.disable_remote_download option or updating to the latest version of Wings are the only known workarounds.
Patches
https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pterodactyl/wings"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34068"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-441",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-03T20:29:59Z",
"nvd_published_at": "2024-05-03T18:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAn authenticated user who has access to a game server is able to bypass the previously implemented access control (https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.\n\n### Workarounds\n\nEnabling the `api.disable_remote_download` option or updating to the latest version of Wings are the only known workarounds.\n\n### Patches\n\nhttps://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8",
"id": "GHSA-qq22-jj8x-4wwv",
"modified": "2025-02-21T16:11:49Z",
"published": "2024-05-03T20:29:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-qq22-jj8x-4wwv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34068"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/wings"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2815"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull"
}
GHSA-QQ3X-34H5-GRMG
Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-17 15:34Server-Side Request Forgery (SSRF) vulnerability in Ctera Portal 8.1.x (8.1.1417.24) allows remote attackers to induce the server to make arbitrary HTTP requests via a crafted HTML file containing an iframe.
{
"affected": [],
"aliases": [
"CVE-2025-52196"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T18:16:12Z",
"severity": "HIGH"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in Ctera Portal 8.1.x (8.1.1417.24) allows remote attackers to induce the server to make arbitrary HTTP requests via a crafted HTML file containing an iframe.",
"id": "GHSA-qq3x-34h5-grmg",
"modified": "2025-12-17T15:34:52Z",
"published": "2025-12-16T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52196"
},
{
"type": "WEB",
"url": "https://gist.github.com/simonecris/99baeb07fe6e1803d461e44031819cd3"
},
{
"type": "WEB",
"url": "https://kb.ctera.com/docs/81x-portal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQ4X-R2PP-5QFW
Vulnerability from github – Published: 2024-07-22 12:30 – Updated: 2024-07-22 12:30Server-Side Request Forgery (SSRF) vulnerability in Bernhard Kux JSON Content Importer.This issue affects JSON Content Importer: from n/a through 1.5.6.
{
"affected": [],
"aliases": [
"CVE-2024-38723"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-22T11:15:03Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in Bernhard Kux JSON Content Importer.This issue affects JSON Content Importer: from n/a through 1.5.6.",
"id": "GHSA-qq4x-r2pp-5qfw",
"modified": "2024-07-22T12:30:38Z",
"published": "2024-07-22T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38723"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/json-content-importer/wordpress-get-use-apis-json-content-importer-plugin-1-5-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQ52-64C9-PCW8
Vulnerability from github – Published: 2023-07-17 18:31 – Updated: 2024-04-04 06:10Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.
{
"affected": [],
"aliases": [
"CVE-2023-3577"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-17T16:15:10Z",
"severity": "MODERATE"
},
"details": "Mattermost fails to properly restrict requests to\u00a0localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited\u00a0blind SSRF.\n\n",
"id": "GHSA-qq52-64c9-pcw8",
"modified": "2024-04-04T06:10:52Z",
"published": "2023-07-17T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3577"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.