trueleaf ApiFlow Server-Side Request Forgery Vulnerability

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in trueleaf ApiFlow version 0.9.7. The issue arises in the URL Validation Handler component, specifically within the validateUrlSecurity function of the http_proxy.service.ts file. This vulnerability allows remote attackers to bypass URL validation and make arbitrary requests to internal network resources. The exploitation is possible without authentication, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate the server to make requests on their behalf. This could be used to access internal services and resources that are not normally exposed to the outside network.

Added: Mar 21, 2026, 10:18 PM

Updated: Mar 21, 2026, 10:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.4

exploitability

8.2

remediation

0.0

relevance

4.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.4

exploitability

8.2

remediation

0.0

relevance

4.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

trueleaf ApiFlow Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating