GHSA-gpx9-96j6-pp87: TaskWeaver has Protection Mechanism Failure and Server-Side Request Forgery (SSRF)

January 28, 2026

This vulnerability allows a user to escape the container network isolation and access the host’s local services (127.0.0.1 bound on the host). The vulnerability is applicable only on the MacOS and Windows environments while using Docker Desktop, Containerd on Lima VM, or Podman.

References

github.com/advisories/GHSA-gpx9-96j6-pp87
github.com/microsoft/TaskWeaver
github.com/microsoft/TaskWeaver/commit/d635599f03488c857e1919fcc8303cc5a09e9a0a
github.com/microsoft/TaskWeaver/security/advisories/GHSA-gpx9-96j6-pp87

Code Behaviors & Features

Detect and mitigate GHSA-gpx9-96j6-pp87 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →