CVE-2024-39954 – org.apache.eventmesh:eventmesh-runtime

Package

Manager: maven
Name: org.apache.eventmesh:eventmesh-runtime
Vulnerable Version: >=1.6.0-release <=1.11.0-release

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00071 pctl0.22412

Details

Apache EventMesh Vulnerable to Server-Side Request Forgery in WebhookUtil.java Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources. Users are recommended to upgrade to version 1.12.0 or use the master branch, which fixes this issue.

Metadata

Created: 2025-08-20T09:30:41Z
Modified: 2025-08-20T19:09:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-hf86-8x8v-h7vc/GHSA-hf86-8x8v-h7vc.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-hf86-8x8v-h7vc
Finding: F100
Auto approve: 1