CVE-2023-27163
Description
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
request-baskets up to v1.2.1 has an SSRF vulnerability in /api/baskets/{name}, allowing attackers to access internal network resources via crafted API requests.
Vulnerability
Description
request-baskets is a web service for collecting HTTP requests. Versions up to v1.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the /api/baskets/{name} API endpoint [1][2]. The root cause is insufficient validation of the forward_url parameter, which allows an attacker to specify arbitrary URLs that the server will fetch [4].
Exploitation
An attacker can exploit this SSRF without authentication by sending a crafted POST request to /api/baskets/{name} with a malicious forward_url pointing to internal resources, such as http://127.0.0.1:80/test [3][4]. The vulnerability does not require prior authentication; only network access to the request-baskets service is needed [4]. The same SSRF also exists in the /baskets/{name} endpoint [3].
Impact
Successful exploitation allows an attacker to access network resources and sensitive information that are otherwise inaccessible from the external network [2]. This includes internal HTTP servers, databases, and cloud metadata endpoints [4]. The attacker can also cause information disclosure by fetching internal pages and exfiltrating data [4].
Mitigation
As of March 2023, the vendor has not released a patched version [1][2]. Users should restrict network access to the request-baskets server and avoid exposing it to untrusted networks. Until a fix is available, implementing strict input validation for the forward_url parameter or using a web application firewall (WAF) to filter malicious requests may reduce risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/darklynx/request-basketsGo | <= 1.2.1 | — |
Affected products
3- request-baskets/request-basketsdescription
- Range: <=1.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-58g2-vgpg-335qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-27163ghsaADVISORY
- packetstormsecurity.com/files/174128/Request-Baskets-1.2.1-Server-Side-Request-Forgery.htmlghsaWEB
- packetstormsecurity.com/files/174129/Maltrail-0.53-Remote-Code-Execution.htmlghsaWEB
- request-baskets.comghsaWEB
- gist.github.com/b33t1e/3079c10c88cad379fb166c389ce3b7b3ghsaWEB
- notes.sjtu.edu.cn/s/MUUhEymt7ghsaWEB
News mentions
0No linked articles in our index yet.