oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-39954: Apache EventMesh Runtime: SSRF

From: Xue Weiming <mikexue () apache org>
Date: Mon, 30 Jun 2025 03:09:33 +0000
Severity: low 

Affected versions:

- Apache EventMesh Runtime (org.apache.eventmesh:eventmesh-runtime) 1.6.0 through 1.11.0

Description:

CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. 
allows the attacker can abuse functionality on the server to read or update internal resources.
Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.

Credit:

Mak1r 808 <808mak1r () gmail com> (reporter)

References:

https://eventmesh.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-39954
Previous By Date Next
Previous By Thread Next

Current thread: