Server-Side Request Forgery (SSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code passes user-provided URLs directly to Source.fromURL or Source.fromURI, allowing external input to control outbound network requests. This can let attackers make your server fetch data from any URL, including internal or sensitive systems.
Impact#
If exploited, an attacker could access internal resources, steal sensitive information, or trigger actions on systems that are not publicly accessible. This could lead to data leaks, unauthorized access, or using your server as a proxy to attack other targets within your network.