PartKeepr v1.4.0 url attachment 'add parts' - SSRF


Name PartKeepr v1.4.0 url attachment 'add parts' - SSRF
Code name Joplin
Product PartKeepr
Versions v1.4.0
State Public
Release date 2022-01-09


Kind Server Side Request Forgery
Rule 100. Server-side request forgery (SSRF)
Remote Yes
CVSSv3 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSSv3 Base Score 4.3
Exploit available No
CVE ID(s) CVE-2022-22702


In PartKeepr versions up to and including 1.4.0, the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration.

Proof of Concept

  • Go to 'Add Part'.
  • Click on 'Attachments'.
  • Click on 'Add'.
  • Fill the 'URL' field with an url using a local port "".
  • Click on 'Upload'.
  • Click on the uploaded file in order to download the file and see the content.


There is no exploit for the vulnerability but can be manually exploited.


By 2022-01-04 there is not a patch resolving the issue.


The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.


Vendor page


  • 2022-01-03: Vulnerability discovered.

  • 2022-01-04: Vendor contacted.

  • 2022-01-09: Public Disclosure.