[Apiiro] Dynatrace testing · Critical Risk

asdasdasdada    

**Discovered on:** Sep 16, 2025 21:18      

**Finding details**    
**Finding name:** Server-side Request Forgery (SSRF)    
**Severity:** Medium    
**Sources:** Dynatrace      

**About this vulnerability**    
**Description:** Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `?url` parameter, which was intended to allow displaying remote OpenAPI definitions. This functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.    

**NOTE:** This vulnerability has also been identified as: [CVE-2018-25031](https://security.snyk.io/vuln/SNYK-DOTNET-SWASHBUCKLEASPNETCORESWAGGERUI-5426095)    
**Identifiers:**    
    - [CVE-2021-46708](https://nvd.nist.gov/vuln/detail/CVE-2021-46708)      

**CVSS v3.1.0:** 5.4    
**Exploit maturity:** No exploit maturity data      

**Affected assets**    
**Dependency:** Swashbuckle.AspNetCore.SwaggerUI: 5.4.1.0      

**Repository:** WebGoat    
[View in Apiiro](https://app-staging.apiiro.com/profiles/repositories/eStWeiRM90qc0yCH505CNQ/risk/development?trigger=fffefbae29ae55a569aa5ebc36ee9d65&environmentId=431311fb6e694b8ab0a64ad0f2)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Apiiro] Dynatrace testing · Critical Risk #2

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Apiiro] Dynatrace testing · Critical Risk #2

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions