Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3733 is a Server-Side Request Forgery (SSRF) vulnerability found in the xuxueli xxl-job project, specifically affecting versions up to 3.3.2.'}, {'type': 'paragraph', 'content': "The vulnerability exists in the /jobinfo/trigger endpoint where the 'addressList' parameter, which controls the target URI for network requests, is user-controllable and lacks proper validation."}, {'type': 'paragraph', 'content': 'This flaw allows an attacker to manipulate the parameter to make the server send arbitrary HTTP POST requests to internal or external services, potentially probing or exploiting internal network resources.'}, {'type': 'paragraph', 'content': 'The vulnerable code does not validate or restrict the URL parameter before making network requests, enabling remote exploitation without requiring local access.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This SSRF vulnerability can allow attackers to make the vulnerable server send requests to arbitrary internal or external services.

As a result, attackers may be able to scan internal networks, access sensitive internal services, or exploit other vulnerabilities within the internal environment that are not directly accessible from outside.

This can lead to unauthorized access, data exposure, or further compromise of the affected system and its network.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability can be detected by monitoring and analyzing requests to the vulnerable endpoint `/jobinfo/trigger` in the xuxueli xxl-job application. Specifically, look for unusual or crafted HTTP POST requests containing the `addressList` parameter, which is user-controllable and exploited for SSRF.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting web server logs or network traffic for requests to `/xxl-job-admin/jobinfo/trigger` with suspicious or unexpected URLs in the `addressList` parameter.'}, {'type': 'paragraph', 'content': 'Commands to help detect exploitation attempts might include:'}, {'type': 'list_item', 'content': "Using curl to simulate or detect suspicious requests: `curl -v -X POST 'http://<target>/xxl-job-admin/jobinfo/trigger' -d 'id=1&executorParam=test&addressList=http://malicious-url.com'`"}, {'type': 'list_item', 'content': "Using grep to search web server logs for requests to the vulnerable endpoint: `grep '/xxl-job-admin/jobinfo/trigger' /var/log/nginx/access.log`"}, {'type': 'list_item', 'content': 'Monitoring DNS logs or outbound HTTP requests from the server to detect unexpected external calls triggered by SSRF.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing strict validation and sanitization of the `addressList` parameter to ensure it only allows requests to authorized and safe domains or IP ranges.

Additionally, enforce access token security verification as recommended by the project maintainer to restrict unauthorized access to the vulnerable endpoint.

Network-level controls such as firewall rules or outbound request filtering can help prevent the server from making arbitrary HTTP requests to internal or external services.

If possible, update to a patched version of the software or apply any available patches that address this SSRF vulnerability.

Useful 0 Not Useful 0