CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4600 vulnerabilities reference this CWE, most recent first.
GHSA-WRX7-QGMJ-MF2Q
Vulnerability from github – Published: 2022-01-08 00:43 – Updated: 2022-01-07 23:16All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kylin:kylin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-27738"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-07T23:16:38Z",
"nvd_published_at": "2022-01-06T13:15:00Z",
"severity": "MODERATE"
},
"details": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.",
"id": "GHSA-wrx7-qgmj-mf2q",
"modified": "2022-01-07T23:16:38Z",
"published": "2022-01-08T00:43:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27738"
},
{
"type": "WEB",
"url": "https://github.com/apache/kylin/pull/1646"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/kylin"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/01/06/6"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Server-Side Request Forgery in Apache Kylin"
}
GHSA-WV3H-5FX7-966H
Vulnerability from github – Published: 2026-04-04 06:10 – Updated: 2026-04-07 14:20Summary
A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation.
Details
Directus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of 127.0.0.1) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP client and operating system still resolved and connected to the intended private target.
This has been fixed by adding a normalization step that converts IPv4-Mapped IPv6 addresses to their canonical IPv4 form prior to validation.
Impact
An authenticated user (or an unauthenticated user if public file-import permissions are enabled) could exploit this bypass to perform SSRF attacks against internal services on the same host (databases, caches, internal APIs) or cloud instance metadata endpoints (e.g., AWS/GCP/Azure IMDS).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35409"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:10:53Z",
"nvd_published_at": "2026-04-06T22:16:21Z",
"severity": "HIGH"
},
"details": "### Summary\nA Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation.\n\n### Details\nDirectus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of `127.0.0.1`) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP client and operating system still resolved and connected to the intended private target.\n\nThis has been fixed by adding a normalization step that converts IPv4-Mapped IPv6 addresses to their canonical IPv4 form prior to validation.\n\n### Impact\nAn authenticated user (or an unauthenticated user if public file-import permissions are enabled) could exploit this bypass to perform SSRF attacks against internal services on the same host (databases, caches, internal APIs) or cloud instance metadata endpoints (e.g., AWS/GCP/Azure IMDS).",
"id": "GHSA-wv3h-5fx7-966h",
"modified": "2026-04-07T14:20:08Z",
"published": "2026-04-04T06:10:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35409"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import"
}
GHSA-WV5J-J74P-FV28
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).
{
"affected": [],
"aliases": [
"CVE-2021-35209"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-02T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).",
"id": "GHSA-wv5j-j74p-fv28",
"modified": "2022-05-24T19:06:48Z",
"published": "2022-05-24T19:06:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35209"
},
{
"type": "WEB",
"url": "https://blog.sonarsource.com/zimbra-webmail-compromise-via-email"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WVFV-3QJH-QWXJ
Vulnerability from github – Published: 2026-06-11 18:31 – Updated: 2026-06-11 18:31IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
{
"affected": [],
"aliases": [
"CVE-2026-3341"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T16:16:22Z",
"severity": "MODERATE"
},
"details": "IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.",
"id": "GHSA-wvfv-3qjh-qwxj",
"modified": "2026-06-11T18:31:34Z",
"published": "2026-06-11T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3341"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7275444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WVQF-QCWJ-MJXR
Vulnerability from github – Published: 2024-09-07 18:30 – Updated: 2024-09-07 18:30A server side request forgery vulnerability allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-40718"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-07T17:15:13Z",
"severity": "HIGH"
},
"details": "A server side request forgery vulnerability allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability.",
"id": "GHSA-wvqf-qcwj-mjxr",
"modified": "2024-09-07T18:30:24Z",
"published": "2024-09-07T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40718"
},
{
"type": "WEB",
"url": "https://www.veeam.com/kb4649"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVWC-5CJJ-52F5
Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-16 18:31PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.
{
"affected": [],
"aliases": [
"CVE-2023-53899"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T17:16:02Z",
"severity": "LOW"
},
"details": "PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the \u0027shortdesc\u0027 parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.",
"id": "GHSA-wvwc-5cjj-52f5",
"modified": "2025-12-16T18:31:34Z",
"published": "2025-12-16T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53899"
},
{
"type": "WEB",
"url": "https://github.com/PodcastGenerator/PodcastGenerator"
},
{
"type": "WEB",
"url": "https://podcastgenerator.net"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51565"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/podcastgenerator-blind-server-side-request-forgery-via-xml-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WW52-R3FC-HC5V
Vulnerability from github – Published: 2023-03-04 00:30 – Updated: 2023-03-10 15:30Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-46973"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-03T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability.",
"id": "GHSA-ww52-r3fc-hc5v",
"modified": "2023-03-10T15:30:42Z",
"published": "2023-03-04T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46973"
},
{
"type": "WEB",
"url": "https://github.com/anji-plus/report/issues/15"
},
{
"type": "WEB",
"url": "https://github.com/Fw-fW-fw/UPDATE-CVE/blob/main/CVE-2022-46973"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WW95-R66Q-V2HH
Vulnerability from github – Published: 2026-02-19 15:30 – Updated: 2026-02-23 15:31SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTML file in the application, which when rendered to a PDF allows for internal port scanning and Local File Inclusion (LFI).
{
"affected": [],
"aliases": [
"CVE-2025-55853"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T15:16:11Z",
"severity": "CRITICAL"
},
"details": "SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTML file in the application, which when rendered to a PDF allows for internal port scanning and Local File Inclusion (LFI).",
"id": "GHSA-ww95-r66q-v2hh",
"modified": "2026-02-23T15:31:14Z",
"published": "2026-02-19T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55853"
},
{
"type": "WEB",
"url": "https://github.com/Vivz13/CVE-2025-55853/tree/main"
},
{
"type": "WEB",
"url": "https://www.webpdf.de"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWCH-WQ4R-QH4W
Vulnerability from github – Published: 2025-12-31 18:30 – Updated: 2026-04-01 18:36Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through 1.6.6.
{
"affected": [],
"aliases": [
"CVE-2025-59138"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-31T17:15:44Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through 1.6.6.",
"id": "GHSA-wwch-wq4r-qh4w",
"modified": "2026-04-01T18:36:29Z",
"published": "2025-12-31T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59138"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWJM-C5Q6-9GFH
Vulnerability from github – Published: 2021-12-01 00:00 – Updated: 2022-04-28 00:01Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.
{
"affected": [],
"aliases": [
"CVE-2021-43296"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-30T19:15:00Z",
"severity": "HIGH"
},
"details": "Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.",
"id": "GHSA-wwjm-c5q6-9gfh",
"modified": "2022-04-28T00:01:24Z",
"published": "2021-12-01T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43296"
},
{
"type": "WEB",
"url": "https://manageengine.com"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/support-center/readme.html#11016"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.