Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4613 vulnerabilities reference this CWE, most recent first.

GHSA-WP47-9R3H-XFGQ

Vulnerability from github – Published: 2022-02-07 00:00 – Updated: 2022-02-14 22:58
VLAI
Summary
Server-Side Request Forgery in Apache Traffic Control
Details

In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/apache/trafficcontrol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/apache/trafficcontrol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-14T22:58:25Z",
    "nvd_published_at": "2022-02-06T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.",
  "id": "GHSA-wp47-9r3h-xfgq",
  "modified": "2022-02-14T22:58:25Z",
  "published": "2022-02-07T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23206"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server-Side Request Forgery in Apache Traffic Control"
}

GHSA-WP52-R2FP-4VMR

Vulnerability from github – Published: 2026-03-10 21:32 – Updated: 2026-03-19 16:35
VLAI
Summary
pdfmake is vulnerable to server-side request forgery (SSRF)
Details

Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pdfmake"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0-beta.2"
            },
            {
              "fixed": "0.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T21:12:09Z",
    "nvd_published_at": "2026-03-10T19:17:17Z",
    "severity": "HIGH"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.",
  "id": "GHSA-wp52-r2fp-4vmr",
  "modified": "2026-03-19T16:35:25Z",
  "published": "2026-03-10T21:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26801"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bpampuch/pdfmake/pull/2920"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bpampuch/pdfmake"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bpampuch/pdfmake/releases/tag/0.3.6"
    },
    {
      "type": "WEB",
      "url": "https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pdfmake is vulnerable to server-side request forgery (SSRF)"
}

GHSA-WPF2-5J53-3CXV

Vulnerability from github – Published: 2025-04-17 21:31 – Updated: 2025-04-21 21:30
VLAI
Details

An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the site settings component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-17T21:15:50Z",
    "severity": "MODERATE"
  },
  "details": "An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the site settings component.",
  "id": "GHSA-wpf2-5j53-3cxv",
  "modified": "2025-04-21T21:30:30Z",
  "published": "2025-04-17T21:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29450"
    },
    {
      "type": "WEB",
      "url": "https://www.yuque.com/morysummer/vx41bz/ftlzvxve3t5713c6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPFF-WM84-X5CX

Vulnerability from github – Published: 2024-04-04 14:39 – Updated: 2025-06-30 17:54
VLAI
Summary
Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
Details

Impact

What kind of vulnerability is it? Who is impacted? SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests.

Credits: Oleg Surnin (Positive Technologies).

Patches

Has the problem been patched? What versions should users upgrade to? v3.9.8 and above

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Code level patch

References

Are there any links users can visit to find out more? https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.9.7"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "mobsf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-04T14:39:03Z",
    "nvd_published_at": "2024-04-04T16:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nSSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization\u2019s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests.\n\nCredits:  Oleg Surnin (Positive Technologies).\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nv3.9.8 and above\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nCode level patch\n\n### References\n_Are there any links users can visit to find out more?_\nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373",
  "id": "GHSA-wpff-wm84-x5cx",
  "modified": "2025-06-30T17:54:56Z",
  "published": "2024-04-04T14:39:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31215"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check"
}

GHSA-WPH3-44RJ-92PR

Vulnerability from github – Published: 2021-06-16 17:04 – Updated: 2022-08-11 00:02
VLAI
Summary
elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE
Details

Impact

We recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration.

Patches

The issues were addressed in our last release, 2.1.59.

Workarounds

If you can't update to 2.1.59, make sure your connector is not exposed without authentication.

Reference

Further technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.

For more information

If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research@sonarsource.com; - The maintainers, by opening an issue on this repository.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "studio-42/elfinder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-78",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-15T21:01:45Z",
    "nvd_published_at": "2021-06-14T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nWe recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration. \n\n### Patches\n\nThe issues were addressed in our last release, 2.1.59. \n\n### Workarounds\n\nIf you can\u0027t update to 2.1.59, make sure your connector is not exposed without authentication.\n\n### Reference\n\nFurther technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.\n\n### For more information\n\nIf you have any questions or comments about this advisory, you can contact:\n    - The original reporters, by sending an email to vulnerability.research@sonarsource.com;\n    - The maintainers, by opening an issue on this repository.",
  "id": "GHSA-wph3-44rj-92pr",
  "modified": "2022-08-11T00:02:01Z",
  "published": "2021-06-16T17:04:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Studio-42/elFinder/security/advisories/GHSA-qm58-cvvm-c5qr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32682"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17"
    },
    {
      "type": "WEB",
      "url": "https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Studio-42/elFinder"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE"
}

GHSA-WPHX-MJPF-39XM

Vulnerability from github – Published: 2025-03-22 09:30 – Updated: 2025-03-22 09:30
VLAI
Details

The Your Friendly Drag and Drop Page Builder — Make Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.10 via the make_builder_ajax_subscribe() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-22T07:15:24Z",
    "severity": "MODERATE"
  },
  "details": "The Your Friendly Drag and Drop Page Builder \u2014 Make Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.10 via the make_builder_ajax_subscribe() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
  "id": "GHSA-wphx-mjpf-39xm",
  "modified": "2025-03-22T09:30:32Z",
  "published": "2025-03-22T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13856"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/make-builder/trunk/plugins-screen.php#L83"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3259333%40make-builder%2Ftrunk\u0026old=2235851%40make-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/make-builder/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffcb74b-230b-4629-b22d-5db96ac5fa06?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ29-3HM6-R46X

Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2022-05-14 03:19
VLAI
Details

An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-8939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-01T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands.",
  "id": "GHSA-wq29-3hm6-r46x",
  "modified": "2022-05-14T03:19:00Z",
  "published": "2022-05-14T03:19:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8939"
    },
    {
      "type": "WEB",
      "url": "https://docs.ipswitch.com/NM/WhatsUpGold2018/01_ReleaseNotes/index.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ2M-PVCJ-FM24

Vulnerability from github – Published: 2025-12-18 15:30 – Updated: 2025-12-18 15:30
VLAI
Details

The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T13:15:47Z",
    "severity": "MODERATE"
  },
  "details": "The Prime Slider \u2013 Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
  "id": "GHSA-wq2m-pvcj-fm24",
  "modified": "2025-12-18T15:30:42Z",
  "published": "2025-12-18T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14277"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3419222/bdthemes-prime-slider-lite"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/069a56a1-ca17-43cc-a51f-51b6111f5b61?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQP7-X3PW-XC5R

Vulnerability from github – Published: 2026-06-15 20:16 – Updated: 2026-06-15 20:16
VLAI
Summary
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
Details

Summary

When serving static files on Windows, StaticFiles resolves the requested path with os.path.realpath. If a UNC path (such as \\attacker.com\share) reaches the resolver, realpath causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account's NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.

Details

StaticFiles.lookup_path() joins the requested path onto the served directory and calls os.path.realpath on the result before checking containment with os.path.commonpath. On Windows, a UNC path is absolute, so os.path.join discards the served directory and realpath resolves the bare UNC path, triggering the outbound SMB connection and NTLM authentication before the containment check rejects the path. The HTTP response is a benign 404, but the credential disclosure has already happened. POSIX systems are not affected.

This only affects the default configuration (follow_symlink=False), which uses os.path.realpath. The follow_symlink=True branch uses os.path.abspath, which performs no I/O.

Impact

Applications running on Windows that serve files with StaticFiles (directly, or via a framework built on Starlette such as FastAPI) in the default configuration are affected. StaticFiles is typically unauthenticated, so any client can trigger the SMB connection and leak the service account's NTLMv2 hash. A secondary impact is discovering internal hosts reachable over SMB by timing responses for valid versus invalid addresses.

Mitigation

Applications not running on Windows are not affected. On Windows, serving static files through a dedicated web server (such as nginx or IIS) instead of StaticFiles avoids the issue. Blocking outbound SMB (port 445) from the application host prevents the credential disclosure even if a UNC path is resolved.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "starlette"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T20:16:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen serving static files on Windows, `StaticFiles` resolves the requested path with [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as `\\\\attacker.com\\share`) reaches the resolver, `realpath` causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account\u0027s NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.\n\n### Details\n\n`StaticFiles.lookup_path()` joins the requested path onto the served directory and calls [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath) on the result before checking containment with [`os.path.commonpath`](https://docs.python.org/3/library/os.path.html#os.path.commonpath). On Windows, a UNC path is absolute, so [`os.path.join`](https://docs.python.org/3/library/os.path.html#os.path.join) discards the served directory and `realpath` resolves the bare UNC path, triggering the outbound SMB connection and NTLM authentication before the containment check rejects the path. The HTTP response is a benign 404, but the credential disclosure has already happened. POSIX systems are not affected.\n\nThis only affects the default configuration (`follow_symlink=False`), which uses [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). The `follow_symlink=True` branch uses [`os.path.abspath`](https://docs.python.org/3/library/os.path.html#os.path.abspath), which performs no I/O.\n\n### Impact\n\nApplications running on Windows that serve files with `StaticFiles` (directly, or via a framework built on Starlette such as FastAPI) in the default configuration are affected. `StaticFiles` is typically unauthenticated, so any client can trigger the SMB connection and leak the service account\u0027s NTLMv2 hash. A secondary impact is discovering internal hosts reachable over SMB by timing responses for valid versus invalid addresses.\n\n### Mitigation\n\nApplications not running on Windows are not affected. On Windows, serving static files through a dedicated web server (such as nginx or IIS) instead of `StaticFiles` avoids the issue. Blocking outbound SMB (port 445) from the application host prevents the credential disclosure even if a UNC path is resolved.",
  "id": "GHSA-wqp7-x3pw-xc5r",
  "modified": "2026-06-15T20:16:30Z",
  "published": "2026-06-15T20:16:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kludex/starlette"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows"
}

GHSA-WQVR-8G58-79VV

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:07
VLAI
Details

SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-02T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.",
  "id": "GHSA-wqvr-8g58-79vv",
  "modified": "2024-04-04T02:07:37Z",
  "published": "2022-05-24T16:57:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13335"
    },
    {
      "type": "WEB",
      "url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
    },
    {
      "type": "WEB",
      "url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_7"
    },
    {
      "type": "WEB",
      "url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.