Description
In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,….
Recommendation
Update the @strapi/admin package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.25.2
- Patched version(s): 4.25.2
References
Related Issues
- Strapi Server-Side Request Forgery (SSRF) - CVE-2024-37818
- @lobehub/chat Server Side Request Forgery vulnerability - CVE-2024-32965
- Server-Side Request Forgery in axios - CVE-2024-39338
- Nuxt Icon affected by a Server-Side Request Forgery (SSRF) - CVE-2024-42352
- Tags:
- npm
- @strapi/admin
Anything's wrong? Let us know Last updated on May 29, 2025