Soumettre #795416: devlikeapro WAHA 0.0.1 Server-Side Request Forgeryinformation

Titredevlikeapro WAHA 0.0.1 Server-Side Request Forgery
DescriptionWAHA media conversion endpoints accept user-provided file URLs and fetch them server-side. The input URL flows from authenticated API requests into session.fetch(...), then to axios.get(url, ...) without destination controls (no private-range blocking, no allowlist). This creates an authenticated SSRF condition usable by any API key holder with session access.
La source⚠️ https://github.com/wing3e/public_exp/issues/36
Utilisateur
 BigW (UID 96422)
Soumission02/04/2026 11:41 (il y a 26 jours)
Modérer24/04/2026 20:55 (22 days later)
StatutAccepté
Entrée VulDB359522 [devlikeapro WAHA jusqu’à 2026.3.4 API Request media.controller.ts élévation de privilèges]
Points18

PrécédentAperçuSuivant

Do you want to use VulDB in your project?

Use the official API to access entries easily!