Unintended Proxy or Intermediary (‘Confused Deputy’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-441: Unintended Proxy or Intermediary (‘Confused Deputy’) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The proxy destination host is being set dynamically, potentially based on untrusted user input. This can let attackers control where backend requests are sent, rather than limiting them to known safe destinations.
Impact#
If exploited, attackers could redirect proxy traffic to malicious sites or internal services, leading to data leaks, server-side request forgery (SSRF), or unauthorized access to sensitive resources. This can compromise both your application and internal network assets.