CVE-2026-3189
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in feiyuchuixue sz-boot-parent up to version 1.3.2-beta. Attackers can manipulate the 'url' parameter in the /api/admin/common/files/download endpoint to make the server send unauthorized requests to internal systems. Organizations using affected versions of this software are at risk.
💻 Affected Systems
- feiyuchuixue sz-boot-parent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to internal network systems through the vulnerable server.
Likely Case
Information disclosure from internal services accessible to the vulnerable server, potentially including cloud metadata services or internal APIs.
If Mitigated
Limited to accessing only whitelisted external HTTP/HTTPS endpoints with proper URL validation.
🎯 Exploit Status
Exploitation requires manipulating the 'url' parameter, but the vulnerability description states attacks are 'highly complex' and 'difficult' to exploit
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3-beta
Vendor Advisory: https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
Restart Required: Yes
Instructions:
1. Upgrade to version 1.3.3-beta or later. 2. Verify the patch commit aefaabfd7527188bfba3c8c9eee17c316d094802 is applied. 3. Restart the application.
🔧 Temporary Workarounds
Implement URL validation middleware
allAdd custom validation to restrict URL protocols to only HTTP and HTTPS
Implement request filtering before the /api/admin/common/files/download endpoint processes URLs
Network segmentation
allRestrict outbound network access from the vulnerable server
Configure firewall rules to limit outbound connections from the application server
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block SSRF patterns in URL parameters
- Monitor and alert on unusual outbound requests from the application server
🔍 How to Verify
Check if Vulnerable:
Check if version is 1.3.2-beta or earlier and if /api/admin/common/files/download endpoint accepts non-HTTP/HTTPS URLsCheck Version:
Check application configuration or build files for version informationVerify Fix Applied:
Verify version is 1.3.3-beta or later and test that only HTTP/HTTPS URLs are accepted by the download endpoint📡 Detection & Monitoring
Log Indicators:
- Unusual outbound requests from the application server
- Requests to internal IP addresses or cloud metadata services
Network Indicators:
- Outbound connections from application server to unexpected destinations
- Requests to internal network ranges
SIEM Query:
source_ip=application_server AND (dest_ip=169.254.169.254 OR dest_ip IN [internal_ranges])🔗 References
- https://github.com/feiyuchuixue/sz-boot-parent/
- https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
- https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
- https://github.com/yuccun/CVE/blob/main/sz-boot-parent-SSRF_and_Arbitrary_File_Read.md
- https://vuldb.com/?ctiid.347747
- https://vuldb.com/?id.347747
- https://vuldb.com/?submit.754042
