MEDIUM 5.3

CVE-2026-49328: Apache Fesod SSRF in UrlImageConverter

A Server-Side Request Forgery (SSRF) vulnerability exists in Apache Fesod's image URL handling component. When an application built on Fesod processes user-supplied image URLs, an attacker can craft malicious URLs that cause the server to make unexpected outbound requests to internal systems, private cloud metadata services, or other network-restricted resources. This allows attackers to probe or interact with infrastructure that should not be directly accessible from the internet.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-918
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The UrlImageConverter component in Apache Fesod (Incubating) fesod-sheet versions prior to 2.0.2-incubating fails to properly validate and restrict outbound network requests initiated by image URL parameters. The vulnerability stems from insufficient URL scheme validation and lack of network boundary enforcement, enabling SSRF attacks that bypass access controls. An unauthenticated, network-adjacent attacker can supply a crafted image URL that triggers server-side resolution to internal addresses (RFC 1918 ranges, link-local addresses, cloud provider metadata endpoints, or other restricted network segments). The attack vector requires no privilege escalation or user interaction, making it particularly concerning in multi-tenant or internet-facing deployments.

Business impact

Organizations using Fesod risk unauthorized disclosure of sensitive internal service configurations, cloud metadata (including temporary credentials), internal DNS records, and network topology. In cloud environments, successful exploitation may lead to credential theft via metadata service endpoints. Depending on downstream processing, attackers may also trigger denial-of-service conditions by forcing the server to consume bandwidth or connections attempting to reach unreachable internal targets. This information exposure could facilitate subsequent attacks against internal infrastructure.

Affected systems

Apache Fesod (Incubating) fesod-sheet versions before 2.0.2-incubating are affected. Any application or system that integrates the UrlImageConverter component and accepts user-supplied image URLs is vulnerable. This includes web applications, reporting engines, document processors, and content management systems that render or cache images from user input.

Exploitability

Exploitability is straightforward and requires no special privileges or user interaction. An attacker simply crafts an image URL pointing to an internal resource (e.g., http://169.254.169.254/latest/meta-data/, http://localhost:8080/admin, or private IP addresses) and submits it through any image URL field. The server processes the request and may leak response data, error messages, or timing information. This vulnerability earns a CVSS 3.1 score of 5.3 (Medium) due to low attack complexity and no authentication requirement, though impact is limited to confidentiality with no integrity or availability impact reported.

Remediation

Upgrade Apache Fesod to version 2.0.2-incubating or later, which implements proper URL validation and network boundary enforcement for the UrlImageConverter component. Organizations unable to upgrade immediately should implement network-level mitigations: restrict outbound HTTP(S) requests from application servers to only required external endpoints, use a proxy with URL filtering, implement a deny-list for private IP ranges and cloud metadata endpoints, or disable image URL features if not essential.

Patch guidance

The vendor recommends upgrading to fesod-sheet 2.0.2-incubating. Verify the patch version against official Apache Fesod release notes and security advisories. Coordinate the upgrade with your change management process, as it may require application restarts or redeployment depending on your integration model. Test thoroughly in a non-production environment first to ensure no breaking changes in your specific use case.

Detection guidance

Monitor application logs and network traffic for suspicious outbound requests from Fesod instances targeting internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), or cloud metadata endpoints (e.g., *.metadata.aws.internal for AWS). Look for image URL parameters containing scheme indicators (file://, gopher://, dict://) or obfuscated internal addresses. Configure intrusion detection systems to flag outbound connections from application servers to RFC 1918 ranges and metadata services. Review application access logs for unusual image URL submissions or patterns suggesting reconnaissance activity.

Why prioritize this

While the CVSS score is Medium (5.3), this vulnerability should receive prompt attention because: (1) it requires no authentication or user interaction, making it easily exploitable by external attackers; (2) information disclosure in cloud environments can expose credentials and access tokens with high business impact; (3) Fesod is an incubating Apache project with potentially broad use in data processing and content handling; (4) the attack surface is likely to be user-facing (image uploads, URL parameters), increasing risk exposure. Prioritize patching for internet-facing instances and those in cloud environments.

Risk score, explained

CVSS 3.1 score of 5.3 (Medium) reflects: Network-based attack vector with low complexity, no privilege requirement, and no user interaction (increasing exploitability), but limited to confidentiality impact with no effect on integrity or availability in typical scenarios. However, the actual business risk may be elevated in cloud deployments where metadata exposure can lead to credential theft, and in multi-tenant environments where internal resource enumeration aids further reconnaissance.

Frequently asked questions

How would an attacker exploit this vulnerability?

An attacker submits a crafted image URL (e.g., http://169.254.169.254/latest/meta-data/ in AWS) through any input field that the application processes as an image URL. The vulnerable Fesod component then makes an outbound request from the server, allowing the attacker to read response data or infer internal service existence based on timing and error messages.

Does this vulnerability require the attacker to be authenticated?

No. The vulnerability is exploitable by any network-adjacent attacker without authentication, as the image URL parameter is typically user-facing and accepts unauthenticated submissions.

What is the difference between fesod-sheet 2.0.2-incubating and earlier versions?

Version 2.0.2-incubating includes fixes for UrlImageConverter URL validation and network boundary enforcement. You should verify the exact patch details in the official Apache Fesod security advisory to confirm all related fixes are included.

Can network firewalls alone prevent this attack?

Partially. Outbound firewall rules that deny connections to RFC 1918 ranges, link-local addresses, and cloud metadata endpoints will limit exploitation. However, patching Fesod is the definitive fix, as the application layer should enforce these controls independently rather than relying solely on network perimeter controls.

This analysis is provided for informational purposes and represents a synthesis of publicly available vulnerability data as of the publication date. The information herein is not a substitute for vendor security advisories or your organization's own risk assessment. Always verify patch versions, compatibility, and recommended actions directly with Apache Fesod official documentation and your security team before applying changes to production systems. SEC.co and its authors make no warranty regarding the completeness or accuracy of third-party vulnerability descriptions and assume no liability for decisions made based on this content. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).