Server-Side Request Forgery (SSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Passing untrusted user input directly into Puppeteer’s evaluate methods can allow attackers to execute arbitrary code in the browser context. This means user data should never be used as code or function arguments in these APIs.
Impact#
If exploited, attackers could execute unauthorized scripts, potentially leading to server-side request forgery (SSRF), data theft, or manipulation of browser actions. This could compromise sensitive information, interact with internal resources, or enable further attacks against your infrastructure.