Server-Side Request Forgery (SSRF) in TruffleHog - CVE-2024-43379

 

Server-Side Request Forgery (SSRF) in TruffleHog - CVE-2024-43379

Published: August 17, 2024 / Updated: April 24, 2026


Vulnerability identifier: #VU127480
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-43379
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Truffle Security
Affected software:
TruffleHog

Detailed vulnerability description

The vulnerability allows a remote attacker to trigger unauthorized requests to attacker-chosen endpoints.

The vulnerability exists due to server-side request forgery in some detectors when scanning maliciously crafted data. A remote attacker can craft data that causes the detector to send a request to an attacker-chosen endpoint to trigger unauthorized requests to attacker-chosen endpoints.

User interaction is required because the victim must scan the crafted data. Exploitation is effective only if the targeted endpoint is an unauthenticated GET endpoint that produces side effects.


How to mitigate CVE-2024-43379

Install security update from vendor's website.

Sources