Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

The code constructs outgoing HTTP requests using user-supplied input as the URL host or base address. This allows attackers to control where requests are sent, creating a Server-Side Request Forgery (SSRF) risk.

Impact

If exploited, an attacker could make your server send requests to internal services or sensitive endpoints, potentially exposing private data or giving access to internal networks. This can lead to data leaks, unauthorized actions, or further attacks against your infrastructure.

Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Passing user-controlled or unvalidated parameters directly into the scalaj-http ‘Http’ method can let attackers make the server send requests to arbitrary URLs. This exposes the application to Server-Side Request Forgery (SSRF) risks.

Impact

If exploited, an attacker could use your server to access internal services, sensitive data, or external systems, potentially bypassing network protections. This could lead to data leaks, exposure of internal infrastructure, or be used as a stepping stone for further attacks.

Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

User-controlled input is being passed directly into the Dispatch url function, allowing attackers to specify arbitrary URLs for server-side requests. This makes it possible for untrusted users to control where the server sends HTTP requests.

Impact

An attacker could use this to make your server access internal services or external malicious sites, potentially exposing sensitive data or enabling further attacks on internal infrastructure. They could also exfiltrate data or probe your network, leading to data breaches or service disruptions.

Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

The code passes user-provided URLs directly to Source.fromURL or Source.fromURI, allowing external input to control outbound network requests. This can let attackers make your server fetch data from any URL, including internal or sensitive systems.

Impact

If exploited, an attacker could access internal resources, steal sensitive information, or trigger actions on systems that are not publicly accessible. This could lead to data leaks, unauthorized access, or using your server as a proxy to attack other targets within your network.

Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

User input or external parameters are being passed directly to WSClient for outbound HTTP requests, allowing attackers to control the request destination. This can enable attackers to access arbitrary or internal network resources from your server.

Impact

If exploited, attackers could make your server send requests to internal services or malicious endpoints, potentially exposing sensitive data, accessing restricted resources, or enabling further attacks like internal network probing or data exfiltration. This could lead to data breaches or compromise of internal infrastructure.

Property
Language	java
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input is being used to set the host part of a URL in server-side code, allowing attackers to control where requests are sent. This can let untrusted users cause your server to connect to arbitrary addresses.

Impact

If exploited, attackers could make your server send requests to malicious or internal systems, potentially exposing sensitive data, credentials, or enabling attacks against internal infrastructure (SSRF). This can lead to data leaks, unauthorized access, or compromise of internal services.

Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Passing untrusted user input directly to the wkhtmltopdf function can allow attackers to manipulate the URLs or content processed by the server. This makes it possible for an attacker to control what wkhtmltopdf fetches or renders.

Impact

If exploited, an attacker could make the server send requests to internal or protected resources, potentially exposing sensitive data or enabling further attacks on internal systems. This can lead to information leaks, unauthorized network access, or abuse of server resources.

Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

Passing untrusted user input directly to methods like compileScript, evaluate, navigate, or setDocumentContent in chrome-remote-interface can let attackers control sensitive actions. This exposes your application to security risks if input isn’t properly validated or sanitized.

Impact

An attacker could exploit this to make your server send requests to internal or external systems (SSRF), potentially accessing private resources, leaking sensitive data, or launching further attacks from your infrastructure. This could lead to unauthorized access, data breaches, or disruption of services.

Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Medium

Description

If unverified user data can reach the phantom methods it can result in Server-Side Request Forgery vulnerabilities

Property
Language
Severity
CWE	CWE-918: Server-Side Request Forgery (SSRF)
OWASP	A10:2021 - Server-Side Request Forgery (SSRF)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Medium

Description

Passing untrusted user input directly to the wkhtmltopdf library in an Express app can allow attackers to make the server request arbitrary URLs. This can lead to exposing internal services or sensitive information.

Impact

If exploited, an attacker could force the server to access internal resources or external sites, potentially leaking sensitive data or enabling further attacks on your network. This could compromise backend systems and lead to data breaches.