CVE-2021-25939
- Source
- https://cve.org/CVERecord?id=CVE-2021-25939
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25939.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-25939
- Published
- 2022-02-09T13:15:08.447Z
- Modified
- 2026-02-15T08:05:52.834933Z
- Severity
-
- 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
- References
-
- https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175
- https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25939
- https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175
- https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25939