9 matches found
GHSA-FVH2-GM75-J4J7 dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport
Summary dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host...
Exploit for Server-Side Request Forgery in Vercel Next.Js
CVE-2026-44578 — Next.js WebSocket Upgrade SSRF Pre-authentic...
PT-2026-7089
The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix...
mod_proxy_cluster: mod_proxy_cluster unauthorized MCMP requests
A vulnerability was found in modproxycluster. The issue is that the directive should be replaced by the directive as the former does not restrict IP/host access as Require ip IPADDRESS would suggest. This means that anyone with access to the host might send MCMP requests that may result in...
imgproxy is vulnerable to SSRF against 0.0.0.0
Summary Imgproxy does not block the 0.0.0.0 address, even with IMGPROXYALLOWLOOPBACKSOURCEADDRESSES set to false. This can expose services on the local host. Details imgproxy protects against SSRF against a loopback address with the following check source: if !config.AllowLoopbackSourceAddresses ...
CVE-2025-24354
imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXYALLOWLOOPBACKSOURCEADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2...
CVE-2025-24354
Imgproxy (CVE-2025-24354) is affected by a Server-Side Request Forgery (SSRF) due to not blocking the 0.0.0.0 address when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is false. This allows access to local-host services because 0.0.0.0 is not considered loopback by Go’s ip.IsLoopback() check. The iss...
CVE-2025-24354 imgproxy is vulnerable to SSRF against 0.0.0.0
imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXYALLOWLOOPBACKSOURCEADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2...
PT-2025-5337 · Imgproxy +1 · Imgproxy +1
Name of the Vulnerable Software and Affected Versions: imgproxy versions prior to 3.27.2 Description: The issue concerns imgproxy, a server for resizing, processing, and converting images. It does not block the 0.0.0.0 address, even when IMGPROXY ALLOW LOOPBACK SOURCE ADDRESSES is set to false...