CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4625 vulnerabilities reference this CWE, most recent first.
GHSA-V8V6-2CHV-GCGP
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:38An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. In any POST request, one can replace the port number at WebServiceLocation=http://localhost:8085/UCWebServices/ with a range of ports to determine what is visible on the internal network (as opposed to what general web traffic would see on the product's host). The response from open ports is different than from closed ports. The product does not allow one to change the protocol: anything except http(s) will throw an error; however, it is the type of error that allows one to determine if a port is open or not.
{
"affected": [],
"aliases": [
"CVE-2019-16948"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-13T17:15:00Z",
"severity": "CRITICAL"
},
"details": "An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. In any POST request, one can replace the port number at WebServiceLocation=http://localhost:8085/UCWebServices/ with a range of ports to determine what is visible on the internal network (as opposed to what general web traffic would see on the product\u0027s host). The response from open ports is different than from closed ports. The product does not allow one to change the protocol: anything except http(s) will throw an error; however, it is the type of error that allows one to determine if a port is open or not.",
"id": "GHSA-v8v6-2chv-gcgp",
"modified": "2024-04-04T02:38:49Z",
"published": "2022-05-24T17:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16948"
},
{
"type": "WEB",
"url": "https://mjlanders.com/2019/11/07/multiple-vulnerabilities-found-in-enghouse-zeacom-web-chat"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V8WJ-F5C7-PVXF
Vulnerability from github – Published: 2025-05-27 17:59 – Updated: 2025-05-29 21:03Description
In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,.... in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).
Payloads
http://127.0.0.1:80->The Port is not openhttp://127.0.0.1:1337->The Port which Strapi is running on
Steps to Reproduce
- First of all, let's input the URL
http://127.0.0.1:80into theURLfield, and click "Save".
- Next, use the "Trigger" function and use Burp Suite to capture the request / response
- The server return
request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80, BECAUSE thePort 80is not open, since we are running Strapi onPort 1337, let's change the URL we input above intohttp://127.0.0.1:1337
- Continue to click the "Trigger" function, use Burp to capture the request / response
- The server returns
Method Not Allowed, which means that there actually is aPort 1337running the machine.
PoC
Here is the Poc Video, please check:
https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing
Impact
- If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@strapi/admin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.25.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52588"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-27T17:59:52Z",
"nvd_published_at": "2025-05-29T09:15:25Z",
"severity": "MODERATE"
},
"details": "## Description\nIn Strapi latest version, at function Settings -\u003e Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`.\n\n\n## Payloads\n- `http://127.0.0.1:80` -\u003e `The Port is not open`\n- `http://127.0.0.1:1337` -\u003e `The Port which Strapi is running on`\n\n\n## Steps to Reproduce\n- First of all, let\u0027s input the URL `http://127.0.0.1:80` into the `URL` field, and click \"Save\".\n\n\n\n\n\n- Next, use the \"Trigger\" function and use Burp Suite to capture the request / response\n\n\n\n\n\n- The server return `request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80`, BECAUSE the `Port 80` is not open, since we are running Strapi on `Port 1337`, let\u0027s change the URL we input above into `http://127.0.0.1:1337`\n\n\n\n\n\n- Continue to click the \"Trigger\" function, use Burp to capture the request / response\n\n\n\n\n\n- The server returns `Method Not Allowed`, which means that there actually is a `Port 1337` running the machine.\n\n\n## PoC\nHere is the Poc Video, please check: \n\nhttps://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing\n\n## Impact\n\n- If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.",
"id": "GHSA-v8wj-f5c7-pvxf",
"modified": "2025-05-29T21:03:02Z",
"published": "2025-05-27T17:59:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52588"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Strapi allows Server-Side Request Forgery in Webhook function"
}
GHSA-V93X-3HQQ-X949
Vulnerability from github – Published: 2025-09-15 06:30 – Updated: 2025-09-15 06:30O'View MapServer developed by PilotGaea Technologies has a Server-Side Request Forgery vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to probe internal network.
{
"affected": [],
"aliases": [
"CVE-2025-10453"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T06:15:36Z",
"severity": "MODERATE"
},
"details": "O\u0027View MapServer developed by PilotGaea Technologies has a Server-Side Request Forgery vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to probe internal network.",
"id": "GHSA-v93x-3hqq-x949",
"modified": "2025-09-15T06:30:27Z",
"published": "2025-09-15T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10453"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10382-781cc-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10381-4d482-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V9MP-J8G7-2Q6M
Vulnerability from github – Published: 2023-01-30 06:30 – Updated: 2024-05-20 21:44Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hakobe/paranoidhttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24623"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T21:51:47Z",
"nvd_published_at": "2023-01-30T05:15:00Z",
"severity": "HIGH"
},
"details": "Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.",
"id": "GHSA-v9mp-j8g7-2q6m",
"modified": "2024-05-20T21:44:34Z",
"published": "2023-01-30T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24623"
},
{
"type": "WEB",
"url": "https://github.com/hakobe/paranoidhttp/commit/07f671da14ce63a80f4e52432b32e8d178d75fd3"
},
{
"type": "PACKAGE",
"url": "https://github.com/hakobe/paranoidhttp"
},
{
"type": "WEB",
"url": "https://github.com/hakobe/paranoidhttp/blob/master/CHANGELOG.md#v030-2023-01-19"
},
{
"type": "WEB",
"url": "https://github.com/hakobe/paranoidhttp/compare/v0.2.0...v0.3.0"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1526"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Paranoidhttp Server-Side Request Forgery vulnerability"
}
GHSA-V9QG-8JQW-Q8XG
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15Server Side Request Forgery vulnerability in Vebto Pixie Image Editor 1.4 and 1.7 allows remote attackers to disclose information or execute arbitrary code via the url parameter to Launderer.php.
{
"affected": [],
"aliases": [
"CVE-2017-12905"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-25T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Server Side Request Forgery vulnerability in Vebto Pixie Image Editor 1.4 and 1.7 allows remote attackers to disclose information or execute arbitrary code via the url parameter to Launderer.php.",
"id": "GHSA-v9qg-8jqw-q8xg",
"modified": "2022-05-13T01:15:01Z",
"published": "2022-05-13T01:15:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12905"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Sep/47"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V9R3-MCXC-M58R
Vulnerability from github – Published: 2025-09-13 00:30 – Updated: 2025-09-13 00:30A vulnerability was detected in cdevroe unmark up to 1.9.3. This affects an unknown part of the file /application/controllers/Marks.php. The manipulation of the argument url results in server-side request forgery. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10329"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-12T22:15:33Z",
"severity": "MODERATE"
},
"details": "A vulnerability was detected in cdevroe unmark up to 1.9.3. This affects an unknown part of the file /application/controllers/Marks.php. The manipulation of the argument url results in server-side request forgery. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-v9r3-mcxc-m58r",
"modified": "2025-09-13T00:30:34Z",
"published": "2025-09-13T00:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10329"
},
{
"type": "WEB",
"url": "https://github.com/YZS17/CVE/blob/main/unmark/ssrf1.md"
},
{
"type": "WEB",
"url": "https://github.com/YZS17/CVE/blob/main/unmark/ssrf1.md#poc"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.323755"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.323755"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.643531"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V9RF-4G2W-68JC
Vulnerability from github – Published: 2022-04-05 00:00 – Updated: 2022-04-13 00:00Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
{
"affected": [],
"aliases": [
"CVE-2022-0990"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-04T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.",
"id": "GHSA-v9rf-4g2w-68jc",
"modified": "2022-04-13T00:00:48Z",
"published": "2022-04-05T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0990"
},
{
"type": "WEB",
"url": "https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/31649903-c19c-4dae-aee0-a04b095855c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V9VV-QFG5-CXFG
Vulnerability from github – Published: 2025-05-29 18:31 – Updated: 2025-05-29 18:31maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings.
{
"affected": [],
"aliases": [
"CVE-2025-45474"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-29T16:15:40Z",
"severity": "HIGH"
},
"details": "maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings.",
"id": "GHSA-v9vv-qfg5-cxfg",
"modified": "2025-05-29T18:31:19Z",
"published": "2025-05-29T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45474"
},
{
"type": "WEB",
"url": "https://www.yuque.com/morysummer/vx41bz/ptnnp4eema601rvz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VCMF-HJ5V-RWXJ
Vulnerability from github – Published: 2023-02-16 21:30 – Updated: 2023-03-06 18:30Server-side request forgery in the CVAT software maintained by Intel(R) before version 2.0.1 may allow an authenticated user to potentially enable information disclosure via network access.
{
"affected": [],
"aliases": [
"CVE-2022-27234"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-16T21:15:00Z",
"severity": "MODERATE"
},
"details": "Server-side request forgery in the CVAT software maintained by Intel(R) before version 2.0.1 may allow an authenticated user to potentially enable information disclosure via network access.",
"id": "GHSA-vcmf-hj5v-rwxj",
"modified": "2023-03-06T18:30:21Z",
"published": "2023-02-16T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27234"
},
{
"type": "WEB",
"url": "http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00762.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCRJ-9GMF-8P66
Vulnerability from github – Published: 2024-03-28 09:31 – Updated: 2026-04-28 21:34Server-Side Request Forgery (SSRF) vulnerability in NiteoThemes CMP – Coming Soon & Maintenance.This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.10.
{
"affected": [],
"aliases": [
"CVE-2023-50374"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-28T07:15:50Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in NiteoThemes CMP \u2013 Coming Soon \u0026 Maintenance.This issue affects CMP \u2013 Coming Soon \u0026 Maintenance: from n/a through 4.1.10.",
"id": "GHSA-vcrj-9gmf-8p66",
"modified": "2026-04-28T21:34:24Z",
"published": "2024-03-28T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50374"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/cmp-coming-soon-maintenance/wordpress-cmp-coming-soon-maintenance-plugin-by-niteothemes-plugin-4-1-10-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.