request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTTP requests are correctly blocked. Impact: Vulnerable patterns (requests that should be blocked but are allowed): https://127.0.0.1:443/api https://127.0.0.1:8443/admin Any HTTPS request using direct IP address https://127.0.0.1 This vulnerability primarily affects services using self-signed certificates on 127.0.0.1. Not affected (correctly blocked in all versions): http://127.0.0.1:80/api - HTTP requests are properly blocked https://localhost:443/api - …