In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost
, 127.0.0.1
, 0.0.0.0
,.... in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF)
.
http://127.0.0.1:80
-> The Port is not open
http://127.0.0.1:1337
-> The Port which Strapi is running on
http://127.0.0.1:80
into the URL
field, and click "Save".request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80
, BECAUSE the Port 80
is not open, since we are running Strapi on Port 1337
, let's change the URL we input above into http://127.0.0.1:1337
Method Not Allowed
, which means that there actually is a Port 1337
running the machine.Here is the Poc Video, please check:
https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing
{ "github_reviewed": true, "github_reviewed_at": "2025-05-27T17:59:52Z", "nvd_published_at": "2025-05-29T09:15:25Z", "cwe_ids": [ "CWE-918" ], "severity": "MODERATE" }