CVE-2024-27927: RSSHub vulnerable to Server-Side Request Forgery

March 6, 2024

Summary

Serveral Server-Side Request Forgery (SSRF) vulnerabilities in RSSHub allow remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks.

References

github.com/DIYgod/RSSHub
github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069
github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3
github.com/advisories/GHSA-3p3p-cgj7-vgw3
nvd.nist.gov/vuln/detail/CVE-2024-27927

Code Behaviors & Features

Detect and mitigate CVE-2024-27927 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →