CVE-2024-52588: Strapi allows Server-Side Request Forgery in Webhook function

May 27, 2025 (updated May 29, 2025)

In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,…. in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).

References

github.com/advisories/GHSA-v8wj-f5c7-pvxf
github.com/strapi/strapi
github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
nvd.nist.gov/vuln/detail/CVE-2024-52588

Code Behaviors & Features

Detect and mitigate CVE-2024-52588 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →