CWE-9184 advisories

Server-Side Request Forgery (SSRF)

What it is

The server fetches a URL supplied by the user, letting an attacker reach internal services or cloud metadata.

How to fix it

Patch, then validate the destination against an allow-list and block private/link-local ranges.

How to avoid it

Allow-list outbound destinations; resolve and re-check the IP, and block 169.254.169.254 and RFC-1918 ranges.

Known Server-Side Request Forgery (SSRF) vulnerabilities

AI-FORCEDLEAK-AGENTFORCE-2025 — critical · Salesforce Agentforce/Salesforce Agentforce (Web-to-Lead) · exploited
CVE-2021-26855 — critical · Microsoft Exchange/Microsoft Exchange Server · exploited
APPSEC-API-SSRF — critical · API/API Server-Side Request Forgery
INFRA-CAPITALONE-2019 — critical · Cloud · AWS/AWS EC2 / S3 (misconfigured WAF and IAM role)

Stateward flags Server-Side Request Forgery (SSRF) in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.