| 标题 | router-for-me CLIProxyAPI 6.9.29 Server-Side Request Forgery |
|---|
| 描述 | CLIProxyAPI is a proxy server that provides OpenAI/Gemini/Claude/Codex compatible API interfaces for CLI.In the internal/api/handlers/management/api_tools.go file, the application does not fully verify and filter the URL parameters provided by the user, and directly uses them to initiate server requests.The vulnerability allows an attacker to convince a server to make an unauthorized HTTP request to an internal or external system. Attackers can use this vulnerability to access services and sensitive data on the internal network where the server is located, scan internal network ports and services, bypass firewalls to access restricted resources, and initiate requests to third-party systems (which may cause business impact). |
|---|
| 来源 | ⚠️ https://github.com/m3ngx1ng/cve/blob/main/CLIProxyAPI-SSRF.md |
|---|
| 用户 | m3x1 (UID 92411) |
|---|
| 提交 | 2026-04-19 11時59分 (2 月前) |
|---|
| 管理 | 2026-05-07 14時12分 (18 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 361836 [router-for-me CLIProxyAPI 6.9.29 API Interface api_tools.go url 权限提升] |
|---|
| 积分 | 20 |
|---|