Lann

**Name of the Vulnerable Software and Affected Versions** Spin versions prior to 2.4.3 **Description** The issue affects specifically configured Spin applications that use `self` requests without a specified URL authority, allowing them to be induced to make requests to arbitrary hosts via the `Host` HTTP header. This can happen under certain conditions: when the environment routes requests based on the URL instead of the `Host` header, when the application's component is configured with an `allow outbound hosts` list containing `"self"`, and when the component makes an outbound request without a hostname/port in the URL. **Recommendations** For versions prior to 2.4.3, update to version 2.4.3 to fix the issue. As a temporary workaround, ensure that the `Host` header is sanitized to match the application a request is routed to. For individual applications, consider the following workarounds: 1. Ensure that outgoing requests always sanitize the `Host` header. 2. Ensure that outgoing requests always provide the hostname in the URL and use that hostname in the `allowed outbound hosts` list instead of `self`. 3. When using Spin 2.4, use application-internal service chaining for intra-application requests.