GHSA-v8wj-f5c7-pvxf

Suggest an improvement
Source
https://github.com/advisories/GHSA-v8wj-f5c7-pvxf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-v8wj-f5c7-pvxf/GHSA-v8wj-f5c7-pvxf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v8wj-f5c7-pvxf
Aliases
Published
2025-05-27T17:59:52Z
Modified
2025-05-29T21:03:02Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Strapi allows Server-Side Request Forgery in Webhook function
Details

Description

In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,.... in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).

Payloads

  • http://127.0.0.1:80 -> The Port is not open
  • http://127.0.0.1:1337 -> The Port which Strapi is running on

Steps to Reproduce

  • First of all, let's input the URL http://127.0.0.1:80 into the URL field, and click "Save".

CleanShot 2024-06-04 at 22 45 17@2x

  • Next, use the "Trigger" function and use Burp Suite to capture the request / response

CleanShot 2024-06-04 at 22 47 50@2x

  • The server return request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80, BECAUSE the Port 80 is not open, since we are running Strapi on Port 1337, let's change the URL we input above into http://127.0.0.1:1337

CleanShot 2024-06-04 at 22 50 13@2x

  • Continue to click the "Trigger" function, use Burp to capture the request / response

CleanShot 2024-06-04 at 22 53 25@2x

  • The server returns Method Not Allowed, which means that there actually is a Port 1337 running the machine.

PoC

Here is the Poc Video, please check:

https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing

Impact

  • If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.
Database specific
{
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-27T17:59:52Z",
    "nvd_published_at": "2025-05-29T09:15:25Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / @strapi/admin

Package

Name
@strapi/admin
View open source insights on deps.dev
Purl
pkg:npm/%40strapi/admin

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.25.2