SSRF vulnerability in KubeVela VelaUX APIServer
Description
KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KubeVela VelaUX APIServer has a blind SSRF vulnerability via unrestricted Helm chart repository requests, allowing an attacker to probe internal network resources.
Vulnerability
Overview
CVE-2022-39383 is a blind Server-Side Request Forgery (SSRF) vulnerability affecting the KubeVela application delivery platform, specifically the VelaUX APIServer component. The root cause lies in the Helm chart delivery functionality: when a user deploys an application using a Helm chart, the APIServer does not validate or restrict the URL of the Helm repository. This allows an attacker to supply a malicious repository address that triggers a request from the server to an arbitrary internal or external host [1][3].
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must have access to the VelaUX APIServer, typically through the platform's web interface or API. The attacker then creates or modifies an application component that specifies a Helm chart from a controlled repository URL. When the server processes this component, it makes an HTTP request to the supplied address. Because the request is blind (i.e., the attacker cannot directly see the response), the attacker must infer internal network information through side-channel techniques such as timing differences or error messages [2][4].
Impact
A successful blind SSRF attack enables an attacker to probe internal services, cloud metadata endpoints, or other networked resources that the KubeVela server can reach. While the vulnerability does not directly allow reading of response data, it can be used to map internal networks, detect running services, and potentially interact with unauthenticated internal APIs. This increases the risk of further compromise within the cluster or adjacent infrastructure [1][4].
Mitigation
The KubeVela project has released patched versions to address this issue: users on v1.6 should upgrade to v1.6.1, and users on v1.5 should upgrade to v1.5.8. The fix, implemented in pull request #5000, forbids following HTTP redirects (302 responses) during Helm chart retrieval, mitigating the SSRF vector [3]. There are no known workarounds [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/oam-dev/kubevelaGo | >= 1.6.0-alpha.1, < 1.6.2 | 1.6.2 |
github.com/oam-dev/kubevelaGo | < 1.5.9 | 1.5.9 |
Affected products
14- osv-coords13 versionspkg:apk/chainguard/kubevelapkg:apk/chainguard/kubevela-vela-clipkg:apk/chainguard/kubevela-vela-corepkg:apk/chainguard/kubevela-vela-core-compatpkg:apk/chainguard/vela-clipkg:apk/chainguard/vela-corepkg:apk/wolfi/kubevelapkg:apk/wolfi/kubevela-vela-clipkg:apk/wolfi/kubevela-vela-corepkg:apk/wolfi/kubevela-vela-core-compatpkg:apk/wolfi/vela-clipkg:apk/wolfi/vela-corepkg:golang/github.com/oam-dev/kubevela
< 0+ 12 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 1.6.0-alpha.1, < 1.6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.