Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4638 vulnerabilities reference this CWE, most recent first.

GHSA-RRCF-FXFM-G3VR

Vulnerability from github – Published: 2023-11-13 03:30 – Updated: 2026-04-28 21:33
VLAI
Details

Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing.This issue affects Motors – Car Dealer, Classifieds & Listing: from n/a through 1.4.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-13T03:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors \u2013 Car Dealer, Classifieds \u0026 Listing.This issue affects Motors \u2013 Car Dealer, Classifieds \u0026 Listing: from n/a through 1.4.6.",
  "id": "GHSA-rrcf-fxfm-g3vr",
  "modified": "2026-04-28T21:33:07Z",
  "published": "2023-11-13T03:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46207"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/motors-car-dealership-classified-listings/wordpress-motors-car-dealer-classifieds-listing-plugin-1-4-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRJM-X5M6-Q2PG

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2023-02-04 00:30
VLAI
Details

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-17T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.",
  "id": "GHSA-rrjm-x5m6-q2pg",
  "modified": "2023-02-04T00:30:38Z",
  "published": "2022-05-24T16:59:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17669"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WordPress/WordPress/commit/608d39faed63ea212b6c6cdf9fe2bef92e2120ea"
    },
    {
      "type": "WEB",
      "url": "https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html"
    },
    {
      "type": "WEB",
      "url": "https://core.trac.wordpress.org/changeset/46475"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2020/Jan/8"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9912"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4599"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRV8-H9V7-3GP2

Vulnerability from github – Published: 2024-12-19 03:30 – Updated: 2024-12-19 03:30
VLAI
Details

The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12121"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-19T02:15:22Z",
    "severity": "MODERATE"
  },
  "details": "The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the \u0027moblc_check_link\u0027 function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
  "id": "GHSA-rrv8-h9v7-3gp2",
  "modified": "2024-12-19T03:30:41Z",
  "published": "2024-12-19T03:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12121"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3207590/broken-link-finder"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa52034e-3d11-4be5-ab8b-8f7256be2a3e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV87-VCV4-FJVR

Vulnerability from github – Published: 2022-05-14 03:05 – Updated: 2022-07-27 21:12
VLAI
Summary
URLTrigger Plugin server-side request forgery vulnerability
Details

A server-side request forgery vulnerability exists in Jenkins URLTrigger Plugin 0.41 and earlier in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. As of version 0.43, this form validation method no longer connects to a user provided URL.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.41"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:urltrigger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-27T21:12:17Z",
    "nvd_published_at": "2018-06-26T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A server-side request forgery vulnerability exists in Jenkins URLTrigger Plugin 0.41 and earlier in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. As of version 0.43, this form validation method no longer connects to a user provided URL.",
  "id": "GHSA-rv87-vcv4-fjvr",
  "modified": "2022-07-27T21:12:17Z",
  "published": "2022-05-14T03:05:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000606"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/urltrigger-plugin/commit/46220e69c220bacf8eb23911c8feba9dd68d1a26"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/urltrigger-plugin/commit/aec43e370550b26636aa9cab0f23a5cbcffdc44f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/urltrigger-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-06-25/#SECURITY-819"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "URLTrigger Plugin server-side request forgery vulnerability"
}

GHSA-RV94-VQVR-WJJH

Vulnerability from github – Published: 2026-07-17 03:31 – Updated: 2026-07-17 03:31
VLAI
Details

Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to internal services via unrestricted protocol handlers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-62234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-17T02:18:11Z",
    "severity": "HIGH"
  },
  "details": "Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to internal services via unrestricted protocol handlers.",
  "id": "GHSA-rv94-vqvr-wjjh",
  "modified": "2026-07-17T03:31:24Z",
  "published": "2026-07-17T03:31:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-58q8-f7v4-w2vf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62234"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/grav-ssrf-via-unrestricted-curl-protocols"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RVCC-GW8C-8P8F

Vulnerability from github – Published: 2026-03-11 03:31 – Updated: 2026-03-11 03:31
VLAI
Details

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and access unauthorized resources. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-11T03:15:54Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and access unauthorized resources. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-rvcc-gw8c-8p8f",
  "modified": "2026-03-11T03:31:28Z",
  "published": "2026-03-11T03:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21293"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb26-05.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVPW-P7VW-WJ3M

Vulnerability from github – Published: 2025-06-16 19:37 – Updated: 2025-06-16 21:46
VLAI
Summary
OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint
Details

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package.

The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.

This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next. For example: https://victim-site.com/_next/image?url=https://attacker.com. In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.

Impact

  • SSRF via unrestricted remote URL loading
  • Arbitrary remote content loading
  • Potential internal service exposure or phishing risks through domain abuse

Mitigation

The following mitigations have been put in place:

Server side updates to Cloudflare’s platform to restrict the content loaded via the /_next/image endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next

Root cause fix: Pull request https://github.com/opennextjs/opennextjs-cloudflare/pull/727 to the Cloudflare adapter for Open Next. The patched version of the adapter is found here @opennextjs/cloudflare@1.3.0

Package dependency update: Pull request https://github.com/cloudflare/workers-sdk/pull/9608 to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found at create-cloudflare@2.49.3.

In addition to the automatic mitigation deployed on Cloudflare’s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the remotePatterns filter in Next config if they need to allow-list external urls with images assets.

Credits

Disclosed responsibly by security researcher Edward Coristine. Thank you for the report.

References

https://www.cve.org/cverecord?id=CVE-2025-6087

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@opennextjs/cloudflare"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-6087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-16T19:37:16Z",
    "nvd_published_at": "2025-06-16T19:15:33Z",
    "severity": "HIGH"
  },
  "details": "A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. \n\nThe vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the `/_next/image` endpoint. \n\nThis issue allowed attackers to load remote resources from arbitrary hosts under the victim site\u2019s domain for any site deployed using the Cloudflare adapter for Open Next.  For example: `https://victim-site.com/_next/image?url=https://attacker.com`. In this example, attacker-controlled content from attacker.com is served through the victim site\u2019s domain (`victim-site.com`), violating the same-origin policy and potentially misleading users or other services.\n\n### Impact\n\n- SSRF via unrestricted remote URL loading \n- Arbitrary remote content loading \n- Potential internal service exposure or phishing risks through domain abuse \n\n\n### Mitigation\n\nThe following mitigations have been put in place: \n\n**Server side updates** to Cloudflare\u2019s platform to restrict the content loaded via the `/_next/image` endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next \n\n**Root cause fix**: Pull request https://github.com/opennextjs/opennextjs-cloudflare/pull/727  to the Cloudflare adapter for Open Next. The patched version of the adapter is found here  [@opennextjs/cloudflare@1.3.0](https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0)\n\n**Package dependency update**: Pull request https://github.com/cloudflare/workers-sdk/pull/9608  to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found at [create-cloudflare@2.49.3](https://www.npmjs.com/package/create-cloudflare/v/2.49.3).\n\n In addition to the automatic mitigation deployed on Cloudflare\u2019s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the [remotePatterns](https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns) filter in Next config if they need to allow-list external urls with images assets.\n\n### Credits\n\nDisclosed responsibly by security researcher Edward Coristine. Thank you for the report.\n\n### References\n\nhttps://www.cve.org/cverecord?id=CVE-2025-6087",
  "id": "GHSA-rvpw-p7vw-wj3m",
  "modified": "2025-06-16T21:46:51Z",
  "published": "2025-06-16T19:37:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-rvpw-p7vw-wj3m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/pull/9608"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opennextjs/opennextjs-cloudflare/pull/727"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opennextjs/opennextjs-cloudflare/commit/36119c0f490c95b3d4f6e826d745b728c80625ab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opennextjs/opennextjs-cloudflare"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint"
}

GHSA-RW4W-8H9P-VMJ3

Vulnerability from github – Published: 2025-10-03 18:31 – Updated: 2025-10-03 21:30
VLAI
Details

TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T16:16:17Z",
    "severity": "MODERATE"
  },
  "details": "TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains.",
  "id": "GHSA-rw4w-8h9p-vmj3",
  "modified": "2025-10-03T21:30:56Z",
  "published": "2025-10-03T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Szym0n13k/CVE-2025-55971-Blind-Unauthenticated-SSRF-in-TCL-Smart-TV-UPnP-DLNA-AVTransport"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=FeNLGR_xFIA"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RW83-V3PW-M362

Vulnerability from github – Published: 2023-01-30 06:30 – Updated: 2023-02-07 23:25
VLAI
Summary
Withdrawn: safeurl-python contains Server-Side Request Forgery
Details

Withdrawn

This advisory has been withdrawn as a duplicate of GHSA-jgh8-vchw-q3g7.

Original Description

isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "safeurl-python"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-01T20:04:51Z",
    "nvd_published_at": "2023-01-30T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "## Withdrawn\n\nThis advisory has been withdrawn as a duplicate of [GHSA-jgh8-vchw-q3g7](https://github.com/advisories/GHSA-jgh8-vchw-q3g7).\n\n## Original Description\n\nisInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF.",
  "id": "GHSA-rw83-v3pw-m362",
  "modified": "2023-02-07T23:25:27Z",
  "published": "2023-01-30T06:30:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IncludeSecurity/safeurl-python/security/advisories/GHSA-jgh8-vchw-q3g7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24622"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IncludeSecurity/safeurl-python"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn: safeurl-python contains Server-Side Request Forgery",
  "withdrawn": "2023-02-01T20:04:51Z"
}

GHSA-RW8P-C6HF-Q3PG

Vulnerability from github – Published: 2026-03-06 18:40 – Updated: 2026-03-09 15:50
VLAI
Summary
PinchTab has SSRF with Full Response Exfiltration via Download Handler
Details

SSRF with Full Response Exfiltration via Download Handler

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.

Details

The GET /download?url=<url> handler in download.go accepts a user-controlled url parameter and passes it directly to chromedp.Navigate(dlURL) without any validation or sanitization.

// internal/handlers/download.go:78
if err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {
    return fmt.Errorf("navigate to %s: %w", dlURL, err)
}

Since the request is performed by the headless Chrome browser instance managed by PinchTab, it can access: 1. Local Files: Using the file:// scheme (e.g., file:///etc/passwd). 2. Internal Services: Accessing services bound to localhost or internal network IPs that are not reachable from the outside. 3. Cloud Metadata: Accessing cloud provider metadata endpoints (e.g., 169.254.169.254).

The server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.

PoC

To reproduce the vulnerability, ensure the PinchTab server is running and accessible.

  1. Local File Read: Execute the following curl command to read /etc/passwd: bash curl -X GET "http://localhost:9867/download?url=file:///etc/passwd"

  2. Internal Service Access: If a service is running on localhost:8080, access it via: bash curl -X GET "http://localhost:9867/download?url=http://localhost:8080/internal-admin"

The response will contain the content of the targeted file or service.

PoC video:

https://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f

Impact

This is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.7.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pinchtab/pinchtab/cmd/pinchtab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T18:40:58Z",
    "nvd_published_at": "2026-03-07T16:15:56Z",
    "severity": "HIGH"
  },
  "details": "# SSRF with Full Response Exfiltration via Download Handler\n\n### Summary\nA Server-Side Request Forgery (SSRF) vulnerability in the `/download` endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.\n\n### Details\nThe `GET /download?url=\u003curl\u003e` handler in [download.go](file:///Users/quan.m.le/Workspaces/pinchtab/internal/handlers/download.go#L78) accepts a user-controlled `url` parameter and passes it directly to `chromedp.Navigate(dlURL)` without any validation or sanitization.\n\n```go\n// internal/handlers/download.go:78\nif err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {\n    return fmt.Errorf(\"navigate to %s: %w\", dlURL, err)\n}\n```\n\nSince the request is performed by the headless Chrome browser instance managed by PinchTab, it can access:\n1.  **Local Files**: Using the `file://` scheme (e.g., `file:///etc/passwd`).\n2.  **Internal Services**: Accessing services bound to `localhost` or internal network IPs that are not reachable from the outside.\n3.  **Cloud Metadata**: Accessing cloud provider metadata endpoints (e.g., `169.254.169.254`).\n\nThe server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.\n\n### PoC\nTo reproduce the vulnerability, ensure the PinchTab server is running and accessible.\n\n1.  **Local File Read**:\n    Execute the following curl command to read `/etc/passwd`:\n    ```bash\n    curl -X GET \"http://localhost:9867/download?url=file:///etc/passwd\"\n    ```\n\n2.  **Internal Service Access**:\n    If a service is running on `localhost:8080`, access it via:\n    ```bash\n    curl -X GET \"http://localhost:9867/download?url=http://localhost:8080/internal-admin\"\n    ```\n\nThe response will contain the content of the targeted file or service.\n\n\nPoC video:\n\nhttps://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f\n\n### Impact\nThis is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.",
  "id": "GHSA-rw8p-c6hf-q3pg",
  "modified": "2026-03-09T15:50:19Z",
  "published": "2026-03-06T18:40:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-rw8p-c6hf-q3pg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30834"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pinchtab/pinchtab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PinchTab has SSRF with Full Response Exfiltration via Download Handler"
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.