CVE-2022-25850 — ProxyScotch is vulnerable to a server-side Request Forgery (SSRF)

Description

ProxyScotch is a simple proxy server created for hoppscotch.io. The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. It leads to a leakage of sensitive information from the server.

How to fix CVE-2022-25850

To remediate CVE-2022-25850, upgrade the affected package to a fixed version below.

—upgrade to 1.0.0 or later

Is CVE-2022-25850 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25850
PATCHgithub.com/hoppscotch/proxyscotch
WEBgithub.com/hoppscotch/proxyscotch/commit/de67380f62f907f201d75854b76024ba4885fab7
WEBsnyk.io/vuln/SNYK-GOLANG-GITHUBCOMHOPPSCOTCHPROXYSCOTCH-2435228