| शीर्षक | devlikeapro WAHA 0.0.1 Server-Side Request Forgery |
|---|
| विवरण | WAHA media conversion endpoints accept user-provided file URLs and fetch them server-side. The input URL flows from authenticated API requests into session.fetch(...), then to axios.get(url, ...) without destination controls (no private-range blocking, no allowlist). This creates an authenticated SSRF condition usable by any API key holder with session access. |
|---|
| स्रोत | ⚠️ https://github.com/wing3e/public_exp/issues/36 |
|---|
| उपयोगकर्ता | BigW (UID 96422) |
|---|
| सबमिशन | 02/04/2026 11:41 AM (25 दिन पहले) |
|---|
| संयम | 24/04/2026 08:55 PM (22 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 359522 [devlikeapro WAHA तक 2026.3.4 API Request media.controller.ts अधिकार वृद्धि] |
|---|
| अंक | 18 |
|---|