Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learningUpgrade webfinger.js
to version 2.8.1 or higher.
webfinger.js is an A client library to query WebFinger records
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the WebFinger
class. An attacker can cause the server to send arbitrary GET requests to internal or external hosts, including localhost and LAN addresses, by supplying a specially crafted user address.
Note: This is a Blind-SSRF and the response of the request it not returned to the user.
curl "http://localhost:3000/api/v1/search_user?search=user@localhost:1234/secret.txt?"