CVE-2021-27905

CRITICAL IN THE WILD NUCLEI LAB

Apache Solr < 8.8.2 - Server-Side Request Forgery via ReplicationHandler masterUrl Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-27905 has been observed exploited in the wild (reported by InTheWild.io). EIP tracks 5 public exploits from researchers including Henry4E36, murataydemir, pdelteil. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2021-27905, an SSRF vulnerability in Apache Solr. It sends a crafted request to the Solr admin interface to trigger an SSRF via the replication endpoint, using a DNS log for verification.

Description

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

Exploits (5)

nomisec WORKING POC 71 stars
by Henry4E36 · poc
https://github.com/Henry4E36/Solr-SSRF

This PoC exploits CVE-2021-27905, an SSRF vulnerability in Apache Solr. It sends a crafted request to the Solr admin interface to trigger an SSRF via the replication endpoint, using a DNS log for verification.

Classification
Working Poc 90%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: Apache Solr (versions affected by CVE-2021-27905)
No auth needed
Prerequisites: Network access to the Solr admin interface · DNS log service for verification
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 5 stars
by murataydemir · poc
https://github.com/murataydemir/CVE-2021-27905

This repository provides a detailed writeup and proof-of-concept for CVE-2021-27905, an SSRF vulnerability in Apache Solr's ReplicationHandler. It includes steps to enumerate core names and exploit the vulnerability via the `masterUrl` parameter.

Classification
Writeup 100%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: Apache Solr versions prior to 8.8.2 (7.0.0 to 7.7.3 and 8.0.0 to 8.8.1)
No auth needed
Prerequisites: Knowledge of the target Solr core name
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by pdelteil · poc
https://github.com/pdelteil/CVE-2021-27905.POC

This PoC demonstrates a Local File Inclusion (LFI) vulnerability in Apache Solr (CVE-2021-27905) by recursively traversing directories and reading file contents via the `debug/dump` endpoint. The script uses `curl` to exploit the vulnerability and parses responses to distinguish between directories and files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Solr (versions affected by CVE-2021-27905)
No auth needed
Prerequisites: Access to a vulnerable Apache Solr instance · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by RIZZZIOM · poc
https://github.com/RIZZZIOM/CVE-2021-27905

This repository contains a functional proof-of-concept exploit for CVE-2021-27905, an SSRF vulnerability in Apache Solr versions prior to 8.8.2. The exploit leverages the `masterUrl` parameter in the replication handler to perform arbitrary HTTP requests.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: Apache Solr < 8.8.2
No auth needed
Prerequisites: Target Apache Solr instance with exposed replication handler
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by W2Ning · poc
https://github.com/W2Ning/Solr-SSRF

This repository provides a writeup and Burp Suite repeatable steps for exploiting CVE-2021-27905, an SSRF vulnerability in Apache Solr. It includes an Xray detection plugin and a screenshot example but lacks direct exploit code.

Classification
Writeup 80%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr
No auth needed
Prerequisites: Access to a vulnerable Apache Solr instance · Burp Suite or similar tool for request manipulation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Solr <=8.8.1 - Server-Side Request Forgery
CRITICALby hackergautam
Shodan: cpe:"cpe:2.3:a:apache:solr" || http.title:"apache solr" || http.title:"solr admin"
FOFA: title="solr admin" || title="apache solr"

References (12)

Core 12
Core References
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210611-0009/

Scores

CVSS v3 9.8
EPSS 0.9390
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull solr:8.8.1
+2 more repos

Details

InTheWild.io 2021-04-18
CWE
CWE-918
Status published
Products (2)
apache/solr < 8.8.2
org.apache.solr/solr-parent 0 - 8.8.2Maven
Published Apr 13, 2021
Tracked Since Feb 18, 2026