Critical Vulnerability Information Vulnerability Name: SSRF in editor's proxy via IPv6 link-local address in jgraph/drawio CVE ID: CVE-2022-1722 Vulnerability Type: Server-Side Request Forgery (SSRF) Severity: High (7.5) Affected Versions: Online Editor Description The proxy server does not check for link-local IPv6 addresses. In the code snippet , it checks for local IP addresses but omits the check for link-local IPv6 addresses. Proof of Concept (PoC) 1. Set up Wireshark. 2. Open the DrawIO web application locally: . 3. The server attempts to connect to , the default gateway, indicating that link-local IPv6 addresses are not being filtered. Impact SSRF to internal link-local IPv6 addresses. Fix Fixed in version 18.0.5 with commit . The fix bounty has been dropped.