Submeter #795416: devlikeapro WAHA 0.0.1 Server-Side Request Forgeryinformação

Títulodevlikeapro WAHA 0.0.1 Server-Side Request Forgery
DescriçãoWAHA media conversion endpoints accept user-provided file URLs and fetch them server-side. The input URL flows from authenticated API requests into session.fetch(...), then to axios.get(url, ...) without destination controls (no private-range blocking, no allowlist). This creates an authenticated SSRF condition usable by any API key holder with session access.
Fonte⚠️ https://github.com/wing3e/public_exp/issues/36
Utilizador
 BigW (UID 96422)
Submissão02/04/2026 11h41 (há 25 dias)
Moderação24/04/2026 20h55 (22 days later)
EstadoAceite
Entrada VulDB359522 [devlikeapro WAHA até 2026.3.4 API Request media.controller.ts Elevação de Privilégios]
Pontos18

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!