Submit #807811: router-for-me CLIProxyAPI 6.9.29 Server-Side Request Forgeryinfo

Titlerouter-for-me CLIProxyAPI 6.9.29 Server-Side Request Forgery
DescriptionCLIProxyAPI is a proxy server that provides OpenAI/Gemini/Claude/Codex compatible API interfaces for CLI.In the internal/api/handlers/management/api_tools.go file, the application does not fully verify and filter the URL parameters provided by the user, and directly uses them to initiate server requests.The vulnerability allows an attacker to convince a server to make an unauthorized HTTP request to an internal or external system. Attackers can use this vulnerability to access services and sensitive data on the internal network where the server is located, scan internal network ports and services, bypass firewalls to access restricted resources, and initiate requests to third-party systems (which may cause business impact).
Source⚠️ https://github.com/m3ngx1ng/cve/blob/main/CLIProxyAPI-SSRF.md
User
 m3x1 (UID 92411)
Submission04/19/2026 11:59 (3 months ago)
Moderation05/07/2026 14:12 (18 days later)
StatusAccepted
VulDB entry361836 [router-for-me CLIProxyAPI 6.9.29 API Interface api_tools.go url server-side request forgery]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!