AIKIDO-2026-10388
spree_core is vulnerable to Server-Side Request Forgery (SSRF)
75
High Risk
This Affects:
spree_coreTL;DR
Webhook delivery (spree_api) and image download from URL (spree_core SaveFromUrlJob) send HTTP requests to URLs that can be controlled or influenced by configuration or job arguments. The previous custom SSRF checks did not fully prevent requests to private or internal addresses (e.g. RFC 1918, loopback, link-local, cloud metadata), so an attacker who can set a webhook endpoint URL or trigger image-from-URL with a malicious URL could probe or access internal services. The fix replaces the custom logic with the ssrf_filter gem for webhook delivery and image download, adds WebhookEndpoint validation that rejects URLs resolving to private IPs, enforces a 20MB download size limit for images, and stops passing secret_key in job arguments to prevent leakage.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
spree_core is vulnerable to Server-Side Request Forgery (SSRF) in versions 5.0.0 - 5.3.4.
How to fix this
Upgrade the spree_core and spree library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant