Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the resolve-routes. An attacker can access internal resources and potentially exfiltrate sensitive information by crafting requests containing user-controlled headers (e.g.,
Location) that are forwarded or interpreted without validation.
Note: This is only exploitable if custom middleware logic is implemented in a self-hosted deployment.
Remediation
Upgrade next to version 14.2.32, 15.4.2-canary.43, 15.4.7 or higher.