CVE-2022-25850: 
vulnerability analysis and mitigation

The package github.com/hoppscotch/proxyscotch before version 1.0.0 was found to be vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. The vulnerability was discovered and disclosed on March 29, 2022, and was assigned CVE-2022-25850 (Snyk).

The vulnerability occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. The CVSS v3.1 base score for this vulnerability is 7.5 (High), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: High, Integrity: None, Availability: None (Snyk).

The exploitation of this vulnerability leads to a leakage of sensitive information from the server. The confidentiality impact is rated as High, indicating that there could be a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker (Snyk).

The recommended mitigation is to upgrade github.com/hoppscotch/proxyscotch to version 1.0.0 or higher. A patch was implemented that adds the ability to have a blacklist of target URLs for the proxy to make calls to (GitHub Commit).