Server-Side Request Forgery (SSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Passing untrusted user input directly to Puppeteer’s setContent method can allow attackers to inject malicious HTML or scripts. This exposes your application to security risks if the content is not properly validated or sanitized.
Impact#
An attacker could exploit this to trigger server-side requests to arbitrary URLs, potentially accessing internal resources, leaking sensitive information, or using your server to launch further attacks. This can lead to data breaches, unauthorized actions, or system compromise.