{"id":"CVE-2022-1723","summary":"Server-Side Request Forgery (SSRF) in jgraph/drawio","details":"Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6.","modified":"2026-04-10T13:40:41.868959Z","published":"2022-05-17T08:35:10Z","database_specific":{"cwe_ids":["CWE-918"],"cna_assigner":"@huntrdev","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/1xxx/CVE-2022-1723.json"},"references":[{"type":"WEB","url":"https://huntr.dev/bounties/619851a4-2a08-4196-80e9-ab41953491d8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/1xxx/CVE-2022-1723.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1723"},{"type":"FIX","url":"https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jgraph/drawio","events":[{"introduced":"0"},{"fixed":"7a68ebe22a64fe722704e9c4527791209fee2034"}]}],"versions":["v11.1.5","v11.2.0","v11.2.1","v11.2.2","v11.2.4","v11.2.5","v11.2.6","v11.2.7","v11.2.8","v11.2.9","v11.3.0","v11.3.1","v11.3.2","v12.0.0","v12.1.0","v12.1.1","v12.1.2","v12.1.3","v12.1.4","v12.1.5","v12.1.6","v12.1.7","v12.1.8","v12.1.9","v12.2.0","v12.2.1","v12.2.2","v12.2.3","v12.2.4","v12.2.7","v12.2.8","v12.2.9","v12.3.0","v12.3.1","v12.3.2","v12.3.3","v12.3.4","v12.3.5","v12.3.6","v12.3.7","v12.3.9","v12.4.0","v12.4.1","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.5.0","v12.5.1","v12.5.2","v12.5.3","v12.5.4","v12.5.5","v12.5.7","v12.5.8","v12.6.1","v12.6.3","v12.6.4","v12.6.5","v12.6.7","v12.6.8","v12.7.0","v12.7.1","v12.7.2","v12.7.3","v12.7.4","v12.7.8","v12.7.9","v12.8.0","v12.8.1","v12.8.2","v12.8.3","v12.8.5","v12.8.6","v12.9.1","v12.9.10","v12.9.11","v12.9.12","v12.9.13","v12.9.14","v12.9.2","v12.9.3","v12.9.4","v12.9.5","v12.9.6","v12.9.7","v12.9.8","v12.9.9","v13.0.0","v13.0.1","v13.0.2","v13.0.3","v13.0.4","v13.0.6","v13.0.7","v13.0.8","v13.0.9","v13.1.1","v13.1.13","v13.1.14","v13.1.2","v13.1.3","v13.1.4","v13.1.7","v13.1.8","v13.1.9","v13.10.0","v13.10.1","v13.10.2","v13.10.4","v13.10.5","v13.10.6","v13.10.9","v13.11.0","v13.2.0","v13.2.1","v13.2.2","v13.2.3","v13.2.4","v13.2.5","v13.3.0","v13.3.1","v13.3.3","v13.3.4","v13.3.5","v13.3.6","v13.3.7","v13.3.8","v13.3.9","v13.4.0","v13.4.1","v13.4.2","v13.4.3","v13.4.4","v13.4.5","v13.4.6","v13.4.7","v13.4.8","v13.4.9","v13.5.0","v13.5.1","v13.5.2","v13.5.3","v13.5.4","v13.5.5","v13.5.6","v13.5.7","v13.5.8","v13.5.9","v13.6.0","v13.6.1","v13.6.10","v13.6.2","v13.6.3","v13.6.4","v13.6.5","v13.6.6","v13.6.7","v13.6.8","v13.6.9","v13.7.0","v13.7.2","v13.7.3","v13.7.4","v13.7.5","v13.7.6","v13.7.7","v13.7.8","v13.7.9","v13.8.0","v13.8.1","v13.8.2","v13.8.3","v13.8.5","v13.8.6","v13.8.7","v13.8.8","v13.8.9","v13.9.0","v13.9.1","v13.9.4","v13.9.5","v13.9.7","v13.9.8","v13.9.9","v14.0.0","v14.0.1","v14.0.2","v14.0.3","v14.0.4","v14.1.0","v14.1.1","v14.1.2","v14.1.3","v14.1.4","v14.1.5","v14.1.7","v14.1.8","v14.1.9","v14.2.2","v14.2.3","v14.2.4","v14.2.5","v14.2.6","v14.2.7","v14.2.8","v14.2.9","v14.3.0","v14.3.1","v14.3.2","v14.4.0","v14.4.2","v14.4.3","v14.4.4","v14.4.5","v14.4.6","v14.4.7","v14.4.8","v14.4.9","v14.5.0","v14.5.1","v14.5.2","v14.5.4","v14.5.5","v14.5.6","v14.5.7","v14.5.9","v14.6.0","v14.6.10","v14.6.13","v14.6.2","v14.6.5","v14.6.6","v14.6.8","v14.6.9","v14.7.0","v14.7.1","v14.7.10","v14.7.2","v14.7.3","v14.7.4","v14.7.5","v14.7.6","v14.7.7","v14.7.8","v14.7.9","v14.8.0","v14.8.2","v14.8.3","v14.8.4","v14.8.5","v14.8.6","v14.9.0","v14.9.1","v14.9.2","v14.9.3","v14.9.4","v14.9.5","v14.9.6","v14.9.7","v14.9.9","v15.0.0","v15.0.1","v15.0.2","v15.0.3","v15.0.4","v15.0.5","v15.0.6","v15.1.0","v15.1.1","v15.1.2","v15.1.3","v15.1.4","v15.2.0","v15.2.1","v15.2.2","v15.2.5","v15.2.6","v15.2.7","v15.2.9","v15.3.0","v15.3.1","v15.3.2","v15.3.3","v15.3.4","v15.3.5","v15.3.6","v15.3.7","v15.3.8","v15.4.0","v15.4.1","v15.4.2","v15.4.3","v15.5.0","v15.5.1","v15.5.2","v15.5.4","v15.5.5","v15.5.7","v15.5.8","v15.5.9","v15.6.0","v15.6.1","v15.6.2","v15.6.3","v15.6.4","v15.6.5","v15.6.6","v15.6.8","v15.7.0","v15.7.1","v15.7.2","v15.7.3","v15.7.4","v15.8.0","v15.8.1","v15.8.3","v15.8.4","v15.8.5","v15.8.6","v15.8.7","v15.8.8","v15.8.9","v15.9.1","v15.9.3","v15.9.4","v15.9.5","v15.9.6","v16.0.0","v16.0.2","v16.0.3","v16.1.0","v16.1.2","v16.1.3","v16.1.4","v16.2.1","v16.2.2","v16.2.3","v16.2.4","v16.2.6","v16.2.7","v16.3.0","v16.4.0","v16.4.11","v16.4.3","v16.4.5","v16.4.7","v16.4.8","v16.5.1","v16.5.2","v16.5.3","v16.5.4","v16.5.6","v16.6.0","v16.6.1","v16.6.2","v16.6.3","v16.6.4","v16.6.5","v16.6.6","v16.6.7","v16.6.8","v17.0.0","v17.1.0","v17.1.1","v17.1.2","v17.1.3","v17.1.4","v17.1.5","v17.2.1","v17.2.2","v17.2.3","v17.2.4","v17.2.5","v17.3.0","v17.4.0","v17.4.1","v17.4.2","v17.4.3","v17.5.1","v18.0.0","v18.0.1","v18.0.2","v18.0.3","v18.0.4","v18.0.5"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","id":"CVE-2022-1723-0c755f28","target":{"file":"src/main/java/com/mxgraph/online/ProxyServlet.java"},"digest":{"line_hashes":["164155823941122811094206771109182857156","160245533420630306738574130833110962116","69537947226551834764849017207855885304","256138604713525548233859977297912413006","261592975307050661345000838845017390020","160649243384328167964986901394892749337","265035229583910093886205732353666023363","97062798482907890118121703032367685220","309787166511801691393727171432354311978","29966799198208054064111240605085231578","77148685567998068339191760980790025489","96833048858522631637303464144216997796","326021522153828071290735822908408265198","173984242761915017864013463251696487560","7077295916910783279927582934244477390","57296694253388220070661863787744675413","136259726501917211777681163015388886953","11003448139235649482610613310846732311","336304217963182856223863799499394797274","30332039101023304224056603058444569380","233655938932811998966679757240175566971","303854268073467366786750224261515890931","198206493885392075088385474975895137689","102644286750607194763122560714049441361","115385697184160537077059955801219630316","202736063595184188205335787972583193062","284884027592292738296825309661191285306","160363404909952055706312752580621663826","40476685730975843371065815345167508907","298858127178227798993449599869642660093","337206035943752135576863116377705752749","86040464160842229292572306902721907048","314407095552115460216069433762297564549","286990117545344243044723900401037855821","141142719025590306306861712860538540807","291694686803915307371944680918345139881","220361610363521844264175547859921160531","151150785773846794353123437149140923476","256907329685055296262392615869365654928","302653323330036251404502006547641889315","339813008784272125622725954150511727287","291249668454773756444297454685964477627","123347922536996524054602747117810201018","201017225777517058754503072801214966566","257154514531125953515623984148629544429","224541562069207046483428491485845991295","269173054973854174006734530253760407762","105698365468799058616979564114073776039","22582915566064427196586184366542285660","96564587493499337530549399215292961106","170350026867361332390902886188251660187","163196146075082133289968433481822127035","320198762233207870809554170545882608022","275843038853264120213702041065157455923","61925296753831523880039389891853963333","319560539808195680466630226056240530983","96994857772813162760428750149043420611","191412961107437614749968143561852546873","73027706264393145164868602638837464148","16443198381314653050418241569722234836","229611626092962963990444451975600517466","24092105528038434399722024076327272691","29658176316503478691749580117014027119","291289631778490781097480299717931643655","239436057119325947728146148018967655899","189537775409323468863744292565699794737","116136237777338686928879407449425903630","205908048318136602793515778745749584901","3833489447582922933515943945682569469","46663338904461027072266435916317567976","267112620663868498096351728086508784683","319892909989994938184130715676254879520","70688350822016584305501734175344091000","333074141710635353878506192750459148821","8797560133126571071926280780137747383","9476403789332508322309529007711544206","319892909989994938184130715676254879520","53602006965131313275948757485882188140","124696668138895091983265742346440679896","86704469066385759685475713599255917922"],"threshold":0.9},"source":"https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034","deprecated":false},{"signature_version":"v1","signature_type":"Function","id":"CVE-2022-1723-37ea606e","target":{"file":"src/main/java/com/mxgraph/online/ProxyServlet.java","function":"doGet"},"digest":{"function_hash":"141910437561537392357251497548541515732","length":3143},"source":"https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034","deprecated":false},{"signature_version":"v1","signature_type":"Function","id":"CVE-2022-1723-5aafc2b1","target":{"file":"src/main/java/com/mxgraph/online/EmbedServlet2.java","function":"createEmbedJavaScript"},"digest":{"function_hash":"70734982879289325195397943003026944976","length":2980},"source":"https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034","deprecated":false},{"signature_version":"v1","signature_type":"Line","id":"CVE-2022-1723-7922b1aa","target":{"file":"src/main/java/com/mxgraph/online/EmbedServlet2.java"},"digest":{"line_hashes":["254901894573392985582815124475057490047","301922167397901805653990100216462167147","304899232228681989608537594468147398261","140457640227654241827563381296250487990"],"threshold":0.9},"source":"https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034","deprecated":false},{"signature_version":"v1","signature_type":"Line","id":"CVE-2022-1723-8cffbb40","target":{"file":"src/main/java/com/mxgraph/online/Utils.java"},"digest":{"line_hashes":["317159762213973568379739420242861351150","314418024365988260533013107304308908102","245037510416052164030539075216835323001","257647301532277619012957194131952782064","168624672651464988635778110615366986027","319892909989994938184130715676254879520","335391923332883398951730313256478179123"],"threshold":0.9},"source":"https://github.com/jgraph/drawio/commit/7a68ebe22a64fe722704e9c4527791209fee2034","deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-1723.json","vanir_signatures_modified":"2026-04-10T13:40:41Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}