Description
Rob – W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF).
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.4.4
References
- GHSA-r3jv-xfgx-gj24
- www.certik.com
- www.vulncheck.com
- CVE-2020-36851
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- Axios vulnerable to Server-Side Request Forgery - CVE-2020-28168
- pdfmake is vulnerable to server-side request forgery (SSRF) - CVE-2026-26801
- Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
You might also like:
- Tags:
- npm
- cors-anywhere
Anything's wrong? Let us know Last updated on September 26, 2025