Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads
- Severity:
- Medium
Description
A Server-Side Request Forgery (SSRF) vulnerability exists in Payload’s external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.75.0
- Patched version(s): 3.75.0
References
Related Issues
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- pdfmake is vulnerable to server-side request forgery (SSRF) - CVE-2026-26801
- Nuxt Icon affected by a Server-Side Request Forgery (SSRF) - CVE-2024-42352
- Strapi Server-Side Request Forgery (SSRF) - CVE-2024-37818
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on February 24, 2026