Login Sign Up

CVE-2024-24113

8.8 HIGH
Remote Code Execution Authentication Bypass SSRF

📋 TL;DR

This SSRF vulnerability in xxl-job allows low-privileged users to make the server execute arbitrary requests to internal systems, potentially leading to remote code execution. It affects all deployments running xxl-job version 2.4.1 or earlier. Attackers can exploit this to compromise the executor component and gain control over affected systems.

💻 Affected Systems

Products:
  • xxl-job
Versions: <= 2.4.1
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with low-privileged user access are vulnerable. The vulnerability exists in the executor component's request handling.

📦 What is this software?

Xxl Job by Xuxueli

View all CVEs affecting Xxl Job →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the executor server, allowing lateral movement to internal networks and data exfiltration.

🟠

Likely Case

Unauthorized access to internal services, credential theft from metadata services, and potential RCE on vulnerable executor instances.

🟢

If Mitigated

Limited to information disclosure from internal endpoints if network segmentation and proper authentication are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires low-privileged user access. The GitHub issue contains technical details that could be weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.2

Vendor Advisory: https://github.com/xuxueli/xxl-job/issues/3375

Restart Required: Yes

Instructions:

1. Upgrade xxl-job to version 2.4.2 or later. 2. Update all executor and admin components. 3. Restart all xxl-job services. 4. Verify the fix by testing SSRF attempts.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict outbound network access from xxl-job executors to only necessary internal services

Access Control Enhancement

all

Implement stricter authentication and authorization for low-privileged users

🧯 If You Can't Patch

  • Implement strict network egress filtering to block executor access to sensitive internal endpoints
  • Disable or restrict low-privileged user accounts and monitor for suspicious SSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check xxl-job version in admin interface or configuration files. If version <= 2.4.1, system is vulnerable.

Check Version:

Check application.properties or xxl-job-admin logs for version information

Verify Fix Applied:

After upgrading to 2.4.2+, attempt SSRF payloads that previously worked should be blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound requests from executor to internal services
  • SSRF payload patterns in user input logs
  • Failed authentication attempts followed by executor requests

Network Indicators:

  • Executor making requests to internal metadata services (169.254.169.254)
  • Unexpected outbound connections from xxl-job servers

SIEM Query:

source="xxl-job" AND (url="*169.254.169.254*" OR url="*localhost*" OR url="*127.0.0.1*")

📊 Metadata

CVE ID: CVE-2024-24113
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918
Published: February 8, 2024
Last Updated: May 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24113, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)