Critical Vulnerability Information Vulnerability Type Server-Side Request Forgery (SSRF) in Webhook function Affected Versions @strapi/admin =1.25.2 Description In Strapi's internal version, the Webhooks feature allows users to input a URL to create a webhook connection. However, local domain names (such as localhost, 127.0.0.1, 0.0.0.0, etc.) can be entered into this field, causing the application to access internal services and leading to an SSRF vulnerability. Attack Payload http://127.0.0.1:80 -> This port is not open http://127.0.0.1:1337 -> This port is running Strapi Reproduction Steps 1. In the Webhooks settings, enter the URL and save. 2. Use the "Trigger" function and capture the request/response with Burp Suite. 3. The server returns a request to which fails, as port 80 is not open. 4. Change the URL to . 5. Continue clicking the "Trigger" function and capture the request/response. 6. The server returns "Method Not Allowed", indicating that port 1337 is actually running on the machine. Impact If a real server is running Strapi with many ports open, attackers can exploit this SSRF vulnerability to brute-force all open ports and identify which ports are accessible. CVSS Score Severity: Medium (4.9/10) Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: None Availability Impact: None CVE ID CVE-2021-41788 Weakness CWE-918