CVE-2024-37818: 
JavaScript vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Strapi v4.24.4 via the component /strapi.io/_next/image. The vulnerability was disclosed on June 20, 2024, and affects the Strapi.io website. However, this vulnerability is currently disputed by the Strapi Development Community (NVD).

The vulnerability allows attackers to perform SSRF attacks through crafted GET requests to the /strapi.io/_next/image endpoint. The attack can be executed by manipulating the URL parameter in image requests, potentially bypassing internal IP restrictions by using alternative hostnames like 'localhost'. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (NVD).

If exploited, this vulnerability could allow attackers to scan for open ports within the internal network and potentially access sensitive information. The attack can be performed by both authenticated and unauthenticated users through GET requests to the affected endpoint (Medium Blog).

The Strapi Development Community disputes this vulnerability, stating that it only affects the strapi.io website and does not pose any real SSRF risk to applications using the Strapi library. Recommended general SSRF mitigation strategies include implementing whitelists, DNS resolution controls, authentication on internal services, hardening cloud services, proper response handling, and disabling unused URL schemas (NVD).

The Strapi Development Community has actively disputed the validity of this vulnerability, arguing that the issue was wrongly attributed to the strapi/admin component when it only affects the strapi.io website (NVD).