RSSHub SSRF vulnerability

Severity:: High

Description

RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server to other servers or resources on the network.

Recommendation

Update the rsshub package to the latest compatible version. Followings are version details:

Affected version(s): < 1.0.0-master.a66cbcf
Patched version(s): 1.0.0-master.a66cbcf

References

GHSA-64wp-jh9p-5cg2
advisory.dw1.io
CVE-2023-22493
CWE-918
CAPEC-310
OWASP 2021-A10
OWASP 2021-A6

Related Issues

google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487
Vega has Cross-site Scripting vulnerability in `lassoAppend` function - CVE-2023-26487
rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters - CVE-2023-26491

Tags:: npm; rsshub

Anything's wrong? Let us know Last updated on January 23, 2023