Title: Deco deco-apps 0.114.12 - 0.120.1 Server-Side Request Forgery Description: A Server-Side Request Forgery (SSRF) vulnerability is in the analyticsScript.ts loader. The URL parameter is not properly validated, allowing attackers to force the server to fetch arbitrary URLs, including URLs. This enables local file disclosure, crafted payloads to reach internal services, and leak of entire environment variables. Impact: Integration with aасиисапртштапіапі аад асіапіарадіап іаріасіад іс сіасілаている Mitigation / Fix: Apply the patch in https://github.com/deco-cx/apps/commit/8675c0b3d75a778198afdf6f35730eafd114ccd8 which validates and sanitizes the URL parameter and restricts allowed schemes/hosts. Fix version: 0.120.2 Submission: 2025-11-09 03:15 PM Moderation: 2025-11-30 02:54 PM VulDB entry: 333807