CVE-2024-39954: Apache EventMesh Vulnerable to Server-Side Request Forgery in WebhookUtil.java

August 20, 2025

Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources. Users are recommended to upgrade to version 1.12.0 or use the master branch, which fixes this issue.

References

github.com/advisories/GHSA-hf86-8x8v-h7vc
github.com/apache/eventmesh
lists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm5txhkon
nvd.nist.gov/vuln/detail/CVE-2024-39954

Code Behaviors & Features

Detect and mitigate CVE-2024-39954 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →