Description
Rob – W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF).
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.4.4
References
- GHSA-r3jv-xfgx-gj24
- www.certik.com
- www.vulncheck.com
- CVE-2020-36851
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- Axios vulnerable to Server-Side Request Forgery - CVE-2020-28168
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Server side request forgery in @isomorphic-git/cors-proxy - CVE-2021-23664
- Server-Side Request Forgery in @uppy/companion - CVE-2020-8205
- Tags:
- npm
- cors-anywhere
Anything's wrong? Let us know Last updated on September 26, 2025