57 matches found
Soft Serve is vulnerable to SSRF through its Webhooks
SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. AFFECTED COMPONENTS VERIFIED 1. Webhook Creation...
Server-Side Request Forgery (SSRF)
cors-anywhere is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to instances being configured as open proxies that forward attacker-controlled target URLs, methods, and headers without restriction, which allows an attacker to induce requests to internal-only endpoints...
GHSA-9F2H-7V79-MXW3 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
Summary Prototype pollution capabilities on various APIs. Details Injection of malicious payload allows attacker to remotely execute arbitrary code. Parse.Object and internal APIs are affected, specifically: - ParseObject.fromJSON - ParseObject.pin - ParseObject.registerSubclass -...
CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations internal...
CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations internal...
CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations internal...
mitmproxy 安全漏洞
mitmproxy is an interactive, SSL/TLS-enabled interceptor proxy with a console interface for HTTP/1, HTTP/2, and WebSockets from the mitmproxy open source. A security vulnerability exists in mitmproxy version 11.1.1 and earlier, which stems from a malicious client that can utilize the proxy server...
LangChain < 0.2.9 SSRF
The remote host contains a langchain version that is prior to 0.2.9. It is, therefore, affected by a Server-Side Request Forgery vulnerability in the Web Research Retriever component in langchain-community langchain-community.retrievers.webresearch.WebResearchRetriever. The vulnerability arises...
Dell Secure Connect Gateway Access Control Error Vulnerability
Dell Secure Connect Gateway is a secure connectivity gateway from Dell, Inc. An access control error vulnerability exists in Dell Secure Connect Gateway versions prior to 5.24.00.00, which stems from an internal REST API exposure that could be exploited by a remote attacker to potentially apply...
GHSA-Q25C-C977-4CMH Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever
A Server-Side Request Forgery SSRF vulnerability exists in the Web Research Retriever component in langchain-community langchain-community.retrievers.webresearch.WebResearchRetriever. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet...
Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever
A Server-Side Request Forgery SSRF vulnerability exists in the Web Research Retriever component in langchain-community langchain-community.retrievers.webresearch.WebResearchRetriever. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet...
CVE-2024-3095
A Server-Side Request Forgery SSRF vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This...
PT-2024-24092 · Plane · Plane
Name of the Vulnerable Software and Affected Versions: Plane versions prior to 0.17-dev Description: The issue is a Server-Side Request Forgery SSRF vulnerability that may allow an attacker to send arbitrary requests from the server hosting the application, potentially leading to unauthorized...
Updated libuv packages fix security vulnerability
It was discovered that the uvgetaddrinfo function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks. CVE-2024-24806...
Medium: libuv
Issue Overview: libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to...
CVE-2024-24806
A server-side request forgery SSRF flaw was found in the libuv package due to how the hostnameascii variable is handled in uvgetaddrinfo and uvidnatoascii. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result, attackers may be able to access...
Server-Side Request Forgery (SSRF)
libuv.so is vulnerable to Server-Side Request Forgery SSRF. The vulnerability arises due to how the hostnameascii variable with a length of 256 bytes is handled in uvgetaddrinfo and subsequently in uvidnatoascii. When the hostname exceeds 256 characters, it gets truncated without a terminating nu...
CVE-2024-24806
libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses...
CVE-2024-24806 Improper Domain Lookup that potentially leads to SSRF attacks in libuv
libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses...
WireMock Controlled Server Side Request Forgery vulnerability through URL
Impact WireMock can be configured to only permit proxying and therefore recording to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. Documentation. Until WireMock Webhooks Extension 3.0.0-beta-1...