inference-sdk is vulnerable to Server-Side Request Forgery (SSRF)
86
High Risk
The SDK image loader fetches images from URLs using a plain HTTP client that follows redirects and performs no resolved-IP or destination validation. When a consuming application passes an attacker-influenced URL to the SDK, the request can be steered to internal resources such as cloud metadata endpoints, loopback services, and private or link-local hosts, directly, via a redirect, or via DNS rebinding. This can disclose internal services and credentials reachable from the client's network through server-side request forgery. The fix routes URL loading through a hardened fetcher that validates the resolved IP, pins the connection, and re-validates each redirect hop.
You are affected if you are using a version that falls within the vulnerable range and your application loads images from untrusted URLs through the SDK.
inference-sdk is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.9.1 - 1.3.4.
Upgrade the inference-sdk library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant