Skip to content

网页抓取插件 SSRF 攻击

Moderate
c121914yu published GHSA-vc67-62v5-8cwx Mar 6, 2025

Package

npm FastGPT/service (npm)

Affected versions

<4.9.0

Patched versions

4.9.0

Description

影响

描述

由于网页抓取插件未进行内网Ip校验,攻击者可通过发起内网IP请求,使得系统通过内网进行请求发起,可能获取到内网一些隐私数据。

修复版本

V4.9.0

Severity

Moderate

CVE ID

CVE-2025-27600

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

Credits