CVE-2022-38580
CRITICALZalando Skipper < 0.13.237 - Server-Side Request Forgery
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2022-38580. PoCs published by Hosein Vita.
AI-analyzed exploit summary This exploit demonstrates an SSRF vulnerability in X-Skipper-Proxy versions prior to v0.13.237. By adding the 'X-Skipper-Proxy' header with a target URL (e.g., AWS metadata service), an attacker can force the server to make arbitrary internal requests.
Description
Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF).
Exploits (1)
exploitdb
WORKING POC
by Hosein Vita · textremotemultiple
https://www.exploit-db.com/exploits/51111
This exploit demonstrates an SSRF vulnerability in X-Skipper-Proxy versions prior to v0.13.237. By adding the 'X-Skipper-Proxy' header with a target URL (e.g., AWS metadata service), an attacker can force the server to make arbitrary internal requests.
Classification
Working Poc 100%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target:
X-Skipper-Proxy < v0.13.237
No auth needed
Prerequisites:
Access to a vulnerable Skipper instance · Ability to send HTTP requests with custom headers
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (5)
Core 5
Core References
Not Applicable
http://skipper.com
Vendor Advisory
http://zalando.com
Third Party Advisory
https://gist.github.com/Fadavvi/9fffcfa4aaa9e25b77cfe7b3044b2857#file-cve-2022-38580
Third Party Advisory
https://pastebin.com/dXxpgPAK
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/171546/X-Skipper-Proxy-0.13.237-Server-Side-Request-Forgery.html
Scores
CVSS v3
9.8
EPSS
0.4225
EPSS Percentile
97.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-918
Status
published
Products (2)
zalando/skipper
< 0.13.237
zalando/skipper
0 - 0.13.237Go
Published
Oct 25, 2022
Tracked Since
Feb 18, 2026