Zalando · Zalando Skipper · CVE-2022-38580
**Name of the Vulnerable Software and Affected Versions**
Zalando Skipper versions prior to v0.13.237
**Description**
The issue allows an attacker to exploit a vulnerable version of the proxy to access the internal metadata server or other unauthenticated URLs by adding a specific header (`X-Skipper-Proxy`) to the HTTP request. This is a case of Server-Side Request Forgery (SSRF).
**Recommendations**
To resolve the issue, upgrade to Zalando Skipper version v0.13.237 or later.
As a temporary workaround, consider using the `dropRequestHeader("X-Skipper-Proxy")` filter to mitigate the risk of exploitation.