Primary

Context

xuxueli XXL-Job Server-Side Request Forgery Vulnerability

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in xuxueli XXL-Job versions through 3.3.2. The issue resides in the JobInfoController, specifically within the triggerJob function. This vulnerability allows remote attackers to manipulate the target URI parameter, lacking proper security validation, and exploit internal services of the affected system.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal services, potentially leading to further exploitation or information disclosure.

Reproduction

To reproduce this vulnerability, send a POST request to the '/xxl-job-admin/jobinfo/trigger' endpoint. Include an 'addressList' parameter with a URL pointing to an internal service. The request must be made with the appropriate XXL-JOB login cookies to simulate an authenticated user.

Added: Mar 8, 2026, 11:19 AM

Updated: Mar 8, 2026, 11:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.4

exploitability

5.6

remediation

0.0

relevance

3.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.4

exploitability

5.6

remediation

0.0

relevance

3.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

xuxueli XXL-Job Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

xuxueli xxl-job

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating