CWE-918: CWE-918: Server-Side Request Forgery (SSRF)

BaseStable🏆 #14 in Top 25 (2024)

Description

View on MITRE
306Related CVEs
13.74Severity Score
Back to CWE Lookup

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

🏆 CWE Top 25 Historical Ranking

2023:#19
Score: 4.56
287 CVEs
2024:#14↑5
Score: 13.74
306 CVEs
Trend:Worsening (moved down 5 ranks)

Frequently Asked Questions

What is CWE-918: CWE-918: Server-Side Request Forgery (SSRF)?+

CWE-918: CWE-918: Server-Side Request Forgery (SSRF) is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

Is CWE-918 in the CWE Top 25 Most Dangerous Software Weaknesses?+

Yes. CWE-918 ranked #14 in the CWE Top 25 for 2024, associated with 306 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.

What are the security consequences of CWE-918: Server-Side Request Forgery (SSRF)?+

If exploited, CWE-918 (CWE-918: Server-Side Request Forgery (SSRF)) it can compromise Read Application Data, Execute Unauthorized Code or Commands and Bypass Protection Mechanism, leading to outcomes such as Scope: Confidentiality, Scope: Integrity, Scope: Access Control By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks and use other URLs such as that can access documents on the system (using file://).

Which programming languages are affected by CWE-918: Server-Side Request Forgery (SSRF)?+

CWE-918 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-918 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More