CVE-2023-25753

Name of the Vulnerable Software and Affected Versions Apache ShenYu version 2.5.1

Description There exists an SSRF (Server-Side Request Forgery) vulnerability located at the "/sandbox/proxyGateway" endpoint. This vulnerability allows manipulation of arbitrary requests and retrieval of corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is the ability to exert control over the HTTP method, cookies, IP address, and headers, effectively granting the capability to dispatch complete HTTP requests to hosts of choice.

Recommendations Upgrade to Apache ShenYu 2.6.0 or apply the patch. As a temporary workaround, consider restricting access to the "/sandbox/proxyGateway" endpoint until a patch is applied. Avoid using the requestUrl parameter in the affected API endpoint until the issue is resolved.