Use of Externally-Controlled Format String
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-134: Use of Externally-Controlled Format String |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User input is being directly inserted into a string with .format() and then used to build a request URL in a Flask API controller. This allows untrusted data to shape outgoing requests, which can introduce security risks.
Impact#
An attacker could manipulate the API to send requests to unintended or malicious destinations, potentially enabling server-side request forgery (SSRF), data leakage, or unauthorized access to internal services. This could compromise sensitive information or expose internal systems.