102 matches found
GHSA-4VMC-GM8V-M35H Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
Summary The default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://::ffff:127.0.0.1:... and reach loopback or private HTTP services that the...
PT-2026-38386
Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.31.0 Description An unauthenticated attacker can bypass the default deny-lists used by the downloadFrom and webhook features. The issue occurs because the filtering logic uses case-sensitive regular expressions th...
dssrf: every IPv6 category bypasses is_url_safe
A vulnerability on dssrf allow, an attacker to use, one of them following ipv6 rust Input Category http://::1/ IPv6 loopback http://fc00::1/ IPv6 ULA http://fe80::1/ IPv6 link-local http://::ffff:127.0.0.1/ IPv4-mapped loopback http://::ffff:169.254.169.254/ IPv4-mapped IMDS...
link-preview-js vulnerable to IPv6 and internal loopback attacks
Impact The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. Patches Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. T...
CVE-2026-42043
A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses within the 127.0.0.0/8 range, excluding 127.0.0.1, the attacker can completely bypass the...
CVE-2026-42038
A flaw was found in Axios, a software library used for making web requests. This vulnerability allows an attacker to bypass the noproxy configuration, which is designed to prevent certain internal network requests from being sent through an external proxy. Specifically, when noproxy=localhost is...
Proxy Bypass
Axios is vulnerable to Proxy Bypass. The vulnerability is due to incomplete NOPROXY handling for loopback addresses, where requests to the 127.0.0.0/8 range excluding 127.0.0.1 bypass proxy restrictions, allowing attackers to access internal or local services despite configured protections...
CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...
PT-2026-35048
Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.31.1 Axios versions prior to 1.15.1 Description An incomplete fix for no proxy hostname normalization bypass allows requests to 127.0.0.1 and ::1 to route through a proxy even when no proxy=localhost is configured. Th...
Server-Side Request Forgery (SSRF)
Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper hostname normalization when evaluating NOPROXY rules, where crafted loopback addresses e.g., localhost. or ::1 bypass proxy exclusions and are routed through the proxy, allowing attackers to access...
EUVD-2025-209381
Axios has a NOPROXY Hostname Normalization Bypass Leads to SSRF...
CVE-2025-62718
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...
UBUNTU-CVE-2025-62718
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...
CVE-2025-62718 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...
CVE-2025-62718
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go through the...
PT-2026-31616
Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.31.0 Axios versions prior to 1.15.0 Description Axios does not correctly handle hostname normalization when checking NO PROXY rules. Because the software performs a literal string comparison instead of normalizing...
CVE-2026-31943
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, isPrivateIP in packages/api/src/auth/domain.ts fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests ...
EUVD-2026-16764
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, isPrivateIP in packages/api/src/auth/domain.ts fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests ...
EUVD-2026-16369
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...
CVE-2026-33537 Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...