Name of the Vulnerable Software and Affected Versions remark-images-download versions prior to 3.1.0

Description A major blind Server-Side Request Forgery (SSRF) issue was found in the remark-images-download module, allowing requests to be made to neighboring servers on local IP ranges due to loose filtering of URLs. This could enable access to unexposed documents on the local network. The issue is considered moderate and easy to exploit. For example, if a private service is running on 192.168.1.2 and a user enters a Markdown link to an image on that service, the image could be downloaded and included in the resulting document, even if the service is not intended for user access.

Recommendations Update to version 3.1.0 as soon as possible to patch the vulnerability. No workaround is available, and upgrading to the new version will not break compatibility due to the inclusion of a new option to prevent another vulnerability.