CVE-2021-25939
- Source
- https://cve.org/CVERecord?id=CVE-2021-25939
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-25939.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-25939
- Published
- 2022-02-09T13:15:08.447Z
- Modified
- 2025-11-14T11:44:12.609421Z
- Severity
-
- 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
- References
Affected packages
Git / github.com/arangodb/arangodb
Affected ranges
- Type
- GIT
- Repo
- https://github.com/arangodb/arangodb
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
Other
basic
testBuildDocu
vdevel
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.99
v1.0.alpha1
v1.0.alpha2
v1.0.alpha3
v1.0.beta1
v1.0.beta2
v1.0.beta3
v1.0.beta4
v1.1.0
v1.1.1
v1.1.beta1
v1.1.beta2
v1.2.beta1
v1.2.beta2
v1.4.0
v1.4.0-alpha1
v1.4.0-alpha2
v1.4.0-beta1
v1.4.0-beta2
v1.4.0-rc1
v1.4.1
v1.4.1-rc1
v1.4.10
v1.4.11
v1.4.2
v1.4.2-alpha1
v1.4.3
v1.4.3-alpha1
v1.4.4
v1.4.4-rc1
v1.4.5
v1.4.5-rc1
v1.4.5-rc2
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v2.*
v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-beta1
v2.0.0-beta2
v2.3.0
v2.3.0-alpha1
v2.3.0-alpha2
v2.3.0-alpha3
v2.3.0-alpha4
v2.3.0-alpha5
v2.3.0-alpha6
v2.3.0-alpha7
v2.3.0-beta1
v2.3.0-beta2
v2.3.1
v2.5.0-alpha1
v2.5.0-alpha2
v2.5.0-alpha3
v2.5.0-alpha4
v2.5.0-alpha5
v2.5.0-alpha6
v2.5.0-alpha7
v2.5.0-alpha8
v2.5.0-beta1
v3.*
v3.2.alpha777
v3.3.alpha1
v3.9.0-alpha.1
Database specific
vanir_signatures
[
{
"source": "https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd",
"signature_type": "Function",
"target": {
"function": "ServerSecurityFeature::collectOptions",
"file": "arangod/GeneralServer/ServerSecurityFeature.cpp"
},
"id": "CVE-2021-25939-183e74e1",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "174794310772793720377014152124395755500",
"length": 919.0
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175",
"signature_type": "Function",
"target": {
"function": "ServerSecurityFeature::collectOptions",
"file": "arangod/GeneralServer/ServerSecurityFeature.cpp"
},
"id": "CVE-2021-25939-1f9e20c6",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "79457259610168342800655107710465570094",
"length": 908.0
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175",
"signature_type": "Line",
"target": {
"file": "arangod/GeneralServer/ServerSecurityFeature.cpp"
},
"id": "CVE-2021-25939-2ac46c25",
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"171578474358744883050532284774427090994",
"145922431644286592950151905473129759862",
"91279759690882665212308453718633806755",
"21501310935273928295976518107387063199",
"295555603563205786738352619570560755768",
"303631136301426389800023109120272632237",
"58792356836980467249022217435604909228",
"151319066332408957033740052497950201960",
"202526629000751422200092726619576886378"
]
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175",
"signature_type": "Function",
"target": {
"function": "TRI_InitV8ServerUtils",
"file": "arangod/V8Server/v8-actions.cpp"
},
"id": "CVE-2021-25939-3fc3f253",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "131924263341042407445514875787121144924",
"length": 1626.0
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175",
"signature_type": "Function",
"target": {
"function": "ServerSecurityFeature::ServerSecurityFeature",
"file": "arangod/GeneralServer/ServerSecurityFeature.cpp"
},
"id": "CVE-2021-25939-66ed81af",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "28334326683509858840648989849152962029",
"length": 290.0
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd",
"signature_type": "Function",
"target": {
"function": "TRI_InitV8ServerUtils",
"file": "arangod/V8Server/v8-actions.cpp"
},
"id": "CVE-2021-25939-7b577a58",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "131924263341042407445514875787121144924",
"length": 1626.0
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd",
"signature_type": "Function",
"target": {
"function": "ServerSecurityFeature::ServerSecurityFeature",
"file": "arangod/GeneralServer/ServerSecurityFeature.cpp"
},
"id": "CVE-2021-25939-7c7c3d71",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "28334326683509858840648989849152962029",
"length": 290.0
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175",
"signature_type": "Line",
"target": {
"file": "arangod/GeneralServer/ServerSecurityFeature.h"
},
"id": "CVE-2021-25939-9f065233",
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"45822496179553618684218159847719626242",
"201135298908289642216005663799829705959",
"112959675162389496003525350671959605992",
"90046315187897303660861499032904069623",
"325486636789127341608538438883649628320",
"122235553757083154865624481285303866095",
"92837879858124137096717948175360380905"
]
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd",
"signature_type": "Line",
"target": {
"file": "arangod/GeneralServer/ServerSecurityFeature.h"
},
"id": "CVE-2021-25939-b7e39d5f",
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"45822496179553618684218159847719626242",
"201135298908289642216005663799829705959",
"112959675162389496003525350671959605992",
"90046315187897303660861499032904069623",
"325486636789127341608538438883649628320",
"122235553757083154865624481285303866095",
"92837879858124137096717948175360380905"
]
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd",
"signature_type": "Line",
"target": {
"file": "arangod/V8Server/v8-actions.cpp"
},
"id": "CVE-2021-25939-bd9011dc",
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"56459050841252215816821742522104797786",
"239060332871912129357072040279168801939",
"21973457217130382295300425987111536420",
"51017139329089179302438965250338779523",
"64736567541857265099589241050943001035",
"71581145802202207131550779210444589178",
"59325315018335777990084717438678633912"
]
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd",
"signature_type": "Line",
"target": {
"file": "arangod/GeneralServer/ServerSecurityFeature.cpp"
},
"id": "CVE-2021-25939-c89aede7",
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"171578474358744883050532284774427090994",
"145922431644286592950151905473129759862",
"91279759690882665212308453718633806755",
"21501310935273928295976518107387063199",
"295555603563205786738352619570560755768",
"278761347095708978043631765692452266293",
"80904735549079215090123115401127728353",
"69638725692353024319440929426838261029",
"303631136301426389800023109120272632237",
"58792356836980467249022217435604909228",
"151319066332408957033740052497950201960",
"202526629000751422200092726619576886378"
]
}
},
{
"source": "https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175",
"signature_type": "Line",
"target": {
"file": "arangod/V8Server/v8-actions.cpp"
},
"id": "CVE-2021-25939-fbe0a29a",
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"198416778605841137435972778522675237449",
"44347626381409520970205566983958127120",
"206321675041124627775802115862911742389",
"190391448780593587838988850063661580219",
"220897004022331659164416289636182348350",
"167586439215528886693894676029754068672",
"17634606546523581049692261570861640207"
]
}
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-25939.json"