| tiêu đề | NucleoidAI Nucleoid 0.7.10 Server-Side Request Forgery |
|---|
| Mô tả | A Server‑Side Request Forgery (SSRF) vulnerability exists in Nucleoid where the application directly constructs an outbound request URL using runtime values returned by extension.apply(req) (notably ip, port, and path) and issues the request via axios without validating or normalizing the target; if an attacker can influence the values returned by extension.apply(req) (for example via req.query, req.body, headers or other request-derived data), they can coerce the server to make arbitrary HTTP requests to internal or external hosts (including cloud metadata endpoints like x.x.x.x), potentially leading to sensitive information disclosure, internal reconnaissance/port scanning, open‑proxy abuse, or further chained compromises. |
|---|
| Nguồn | ⚠️ https://github.com/lakshayyverma/CVE-Discovery/blob/main/Nucleoid.md |
|---|
| Người dùng | lakshay12311 (UID 91298) |
|---|
| Đệ trình | 06/10/2025 16:57 (cách đây 8 các tháng) |
|---|
| Kiểm duyệt | 16/10/2025 16:28 (10 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 328809 [NucleoidAI Nucleoid đến 0.7.10 Outbound Request /src/cluster.ts extension.apply https/ip/port/path/headers nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|