CVE-2021-25939: 
ArangoDB vulnerability analysis and mitigation

In ArangoDB versions v3.7.0 through v3.9.0-alpha.1, a vulnerability was discovered in the Foxx service download feature. The vulnerability (CVE-2021-25939) allows downloading a Foxx service from a publicly available URL without proper request filtering, which can be exploited by highly-privileged attackers to perform blind Server-Side Request Forgery (SSRF) and send internal requests to localhost (Whitesource DB).

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 2.7. The attack vector is network-based with low attack complexity, requiring high privileges and no user interaction. The scope is unchanged, with no impact on confidentiality, low impact on integrity, and no impact on availability (Whitesource DB).

When exploited, this vulnerability allows authenticated attackers with high privileges to perform blind SSRF attacks by sending internal requests to localhost. This particularly affects ArangoDB 3.8.x version 3.8.5 and later versions by default, though it can be controlled through startup options (Whitesource DB).

For ArangoDB 3.8 or earlier versions, users should upgrade to ArangoDB 3.8.5 or later and disable the --foxx.allow-install-from-remote flag in startup configuration. For ArangoDB 3.9 users, upgrading to version 3.9.0-beta.1 or later is recommended. Without these mitigations, the application remains vulnerable (Whitesource DB).