9 matches found
Security Bulletin: IBM Langflow Desktop 1.0.0 - 1.9.2 DNS Rebinding Bypasses SSRF Protection Allowing Access to Internal Services
Summary A Time-of-Check to Time-of-Use TOCTOU vulnerability in IBM Langflow Desktop's SSRF protection allows authenticated attackers to bypass internal network access restrictions using DNS rebinding attacks. The validateurlforssrf function validates URLs using socket.getaddrinfo, but...
CVE-2026-42346 Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validation paths
Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU Time-of-Check-Time-of-Use vulnerability: isSafePublicHttpsUrl resolves DNS to validate the target IP, but subsequent fetch calls...
CVE-2026-42449
Summary: CVE-2026-42449 affects n8n-mcp SDK embedder paths where SSRF protection (SSRFProtection.validateUrlSync) fails to validate IPv4-mapped IPv6 addresses, enabling an attacker-controlled n8nApiUrl to cause the server to make HTTP requests to internal networks, cloud metadata endpoints, or lo...
CVE-2026-31943 LibreChat has SSRF protection bypass via IPv4-mapped IPv6 normalization in isPrivateIP
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, isPrivateIP in packages/api/src/auth/domain.ts fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests ...
GHSA-GP2F-7WCM-5FHX Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
Summary The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to t...
CVE-2025-68662 FinalDestination hostname matching allows SSRF protection bypass
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and...
EUVD-2016-10553
Malware in sbrugna...
Server-Side Request Forgery (SSRF) in kalcaddle/kodexplorer
✍️ Description SSRF protection bypass via crafted payload which leads to SSRF. 🕵️♂️ Proof of Concept Payload: 2130706433 This is the decimal way of representing localhost which resolves to localhost. 💥 Impact This vulnerability is capable of SSRF...
Slack: Bypass of the SSRF protection (Slack commands, Phabricator integration)
Abstract Some Slack features like "Integrations / Phabricator" and "Integration / Slash Commands" allow users to submit URL that will be accessed by the backend servers. A blacklist tries to forbid access to internal resources loopback, 10.0.0.0/8, 192.168.0.0/24, .... This blacklist can be...