Server-Side Request Forgery (SSRF) in Discourse - CVE-2022-39241
Published: November 1, 2022 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information from internal network services.
The vulnerability exists due to insufficient server-side request forgery protections in Discourse server-side request handling when processing user-supplied URLs that trigger outbound connections to private IP addresses. A remote privileged user can send a specially crafted request to disclose sensitive information from internal network services.
Depending on the available privileges, exploitation may trigger HTTP GET or POST requests, and may also trigger git clone operations over HTTP or SSH. Response visibility is limited in some cases.