CVE-2021-25939

Name of the Vulnerable Software and Affected Versions ArangoDB versions v3.7.0 through v3.9.0-alpha.1

Description The issue in ArangoDB allows a highly-privileged attacker to perform blind Server-Side Request Forgery (SSRF) and send internal requests to localhost. This is due to a feature that enables downloading a Foxx service from a publicly available URL without proper filtering of internal requests.

Recommendations For ArangoDB versions v3.7.0 through v3.9.0-alpha.1, consider disabling the feature that allows downloading Foxx services from publicly available URLs until a patch is available. Restrict access to internal requests to minimize the risk of exploitation.