CVE-2024-39954
MEDIUMApache EventMesh < 1.12.0 - Server-Side Request Forgery via WebhookUtil
Title source: llmDescription
CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources. Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.
References (1)
Core 1
Core References
Mailing List vendor-advisory
https://lists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm5txhkon
Scores
CVSS v3
6.3
EPSS
0.0014
EPSS Percentile
33.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
apache/eventmesh
< 1.12.0
org.apache.eventmesh/eventmesh-runtime
1.6.0-releaseMaven
Published
Aug 20, 2025
Tracked Since
Feb 18, 2026