{"id":"CVE-2022-1784","summary":"Server-Side Request Forgery (SSRF) in jgraph/drawio","details":"Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.","modified":"2026-04-10T15:37:50.592527Z","published":"2022-05-20T12:15:11Z","database_specific":{"cna_assigner":"@huntrdev","cwe_ids":["CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/1xxx/CVE-2022-1784.json"},"references":[{"type":"WEB","url":"https://huntr.dev/bounties/d1330ce8-cccb-4bae-b9a9-a03b97f444a5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/1xxx/CVE-2022-1784.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1784"},{"type":"FIX","url":"https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jgraph/drawio","events":[{"introduced":"0"},{"fixed":"7764b250b3fa58b249542f4ff9a1ddc1362cf88c"}]}],"versions":["v11.1.5","v11.2.0","v11.2.1","v11.2.2","v11.2.4","v11.2.5","v11.2.6","v11.2.7","v11.2.8","v11.2.9","v11.3.0","v11.3.1","v11.3.2","v12.0.0","v12.1.0","v12.1.1","v12.1.2","v12.1.3","v12.1.4","v12.1.5","v12.1.6","v12.1.7","v12.1.8","v12.1.9","v12.2.0","v12.2.1","v12.2.2","v12.2.3","v12.2.4","v12.2.7","v12.2.8","v12.2.9","v12.3.0","v12.3.1","v12.3.2","v12.3.3","v12.3.4","v12.3.5","v12.3.6","v12.3.7","v12.3.9","v12.4.0","v12.4.1","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.5.0","v12.5.1","v12.5.2","v12.5.3","v12.5.4","v12.5.5","v12.5.7","v12.5.8","v12.6.1","v12.6.3","v12.6.4","v12.6.5","v12.6.7","v12.6.8","v12.7.0","v12.7.1","v12.7.2","v12.7.3","v12.7.4","v12.7.8","v12.7.9","v12.8.0","v12.8.1","v12.8.2","v12.8.3","v12.8.5","v12.8.6","v12.9.1","v12.9.10","v12.9.11","v12.9.12","v12.9.13","v12.9.14","v12.9.2","v12.9.3","v12.9.4","v12.9.5","v12.9.6","v12.9.7","v12.9.8","v12.9.9","v13.0.0","v13.0.1","v13.0.2","v13.0.3","v13.0.4","v13.0.6","v13.0.7","v13.0.8","v13.0.9","v13.1.1","v13.1.13","v13.1.14","v13.1.2","v13.1.3","v13.1.4","v13.1.7","v13.1.8","v13.1.9","v13.10.0","v13.10.1","v13.10.2","v13.10.4","v13.10.5","v13.10.6","v13.10.9","v13.11.0","v13.2.0","v13.2.1","v13.2.2","v13.2.3","v13.2.4","v13.2.5","v13.3.0","v13.3.1","v13.3.3","v13.3.4","v13.3.5","v13.3.6","v13.3.7","v13.3.8","v13.3.9","v13.4.0","v13.4.1","v13.4.2","v13.4.3","v13.4.4","v13.4.5","v13.4.6","v13.4.7","v13.4.8","v13.4.9","v13.5.0","v13.5.1","v13.5.2","v13.5.3","v13.5.4","v13.5.5","v13.5.6","v13.5.7","v13.5.8","v13.5.9","v13.6.0","v13.6.1","v13.6.10","v13.6.2","v13.6.3","v13.6.4","v13.6.5","v13.6.6","v13.6.7","v13.6.8","v13.6.9","v13.7.0","v13.7.2","v13.7.3","v13.7.4","v13.7.5","v13.7.6","v13.7.7","v13.7.8","v13.7.9","v13.8.0","v13.8.1","v13.8.2","v13.8.3","v13.8.5","v13.8.6","v13.8.7","v13.8.8","v13.8.9","v13.9.0","v13.9.1","v13.9.4","v13.9.5","v13.9.7","v13.9.8","v13.9.9","v14.0.0","v14.0.1","v14.0.2","v14.0.3","v14.0.4","v14.1.0","v14.1.1","v14.1.2","v14.1.3","v14.1.4","v14.1.5","v14.1.7","v14.1.8","v14.1.9","v14.2.2","v14.2.3","v14.2.4","v14.2.5","v14.2.6","v14.2.7","v14.2.8","v14.2.9","v14.3.0","v14.3.1","v14.3.2","v14.4.0","v14.4.2","v14.4.3","v14.4.4","v14.4.5","v14.4.6","v14.4.7","v14.4.8","v14.4.9","v14.5.0","v14.5.1","v14.5.2","v14.5.4","v14.5.5","v14.5.6","v14.5.7","v14.5.9","v14.6.0","v14.6.10","v14.6.13","v14.6.2","v14.6.5","v14.6.6","v14.6.8","v14.6.9","v14.7.0","v14.7.1","v14.7.10","v14.7.2","v14.7.3","v14.7.4","v14.7.5","v14.7.6","v14.7.7","v14.7.8","v14.7.9","v14.8.0","v14.8.2","v14.8.3","v14.8.4","v14.8.5","v14.8.6","v14.9.0","v14.9.1","v14.9.2","v14.9.3","v14.9.4","v14.9.5","v14.9.6","v14.9.7","v14.9.9","v15.0.0","v15.0.1","v15.0.2","v15.0.3","v15.0.4","v15.0.5","v15.0.6","v15.1.0","v15.1.1","v15.1.2","v15.1.3","v15.1.4","v15.2.0","v15.2.1","v15.2.2","v15.2.5","v15.2.6","v15.2.7","v15.2.9","v15.3.0","v15.3.1","v15.3.2","v15.3.3","v15.3.4","v15.3.5","v15.3.6","v15.3.7","v15.3.8","v15.4.0","v15.4.1","v15.4.2","v15.4.3","v15.5.0","v15.5.1","v15.5.2","v15.5.4","v15.5.5","v15.5.7","v15.5.8","v15.5.9","v15.6.0","v15.6.1","v15.6.2","v15.6.3","v15.6.4","v15.6.5","v15.6.6","v15.6.8","v15.7.0","v15.7.1","v15.7.2","v15.7.3","v15.7.4","v15.8.0","v15.8.1","v15.8.3","v15.8.4","v15.8.5","v15.8.6","v15.8.7","v15.8.8","v15.8.9","v15.9.1","v15.9.3","v15.9.4","v15.9.5","v15.9.6","v16.0.0","v16.0.2","v16.0.3","v16.1.0","v16.1.2","v16.1.3","v16.1.4","v16.2.1","v16.2.2","v16.2.3","v16.2.4","v16.2.6","v16.2.7","v16.3.0","v16.4.0","v16.4.11","v16.4.3","v16.4.5","v16.4.7","v16.4.8","v16.5.1","v16.5.2","v16.5.3","v16.5.4","v16.5.6","v16.6.0","v16.6.1","v16.6.2","v16.6.3","v16.6.4","v16.6.5","v16.6.6","v16.6.7","v16.6.8","v17.0.0","v17.1.0","v17.1.1","v17.1.2","v17.1.3","v17.1.4","v17.1.5","v17.2.1","v17.2.2","v17.2.3","v17.2.4","v17.2.5","v17.3.0","v17.4.0","v17.4.1","v17.4.2","v17.4.3","v17.5.1","v18.0.0","v18.0.1","v18.0.2","v18.0.3","v18.0.4","v18.0.5","v18.0.6","v18.0.7"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"function":"doGet","file":"src/main/java/com/mxgraph/online/ExportProxyServlet.java"},"signature_type":"Function","source":"https://github.com/jgraph/drawio/commit/7764b250b3fa58b249542f4ff9a1ddc1362cf88c","id":"CVE-2022-1784-2970f477","digest":{"length":123,"function_hash":"49538206169768885484481521116510799307"},"signature_version":"v1"},{"deprecated":false,"target":{"function":"createEmbedJavaScript","file":"src/main/java/com/mxgraph/online/EmbedServlet2.java"},"signature_type":"Function","source":"https://github.com/jgraph/drawio/commit/7764b250b3fa58b249542f4ff9a1ddc1362cf88c","id":"CVE-2022-1784-7049f9d1","digest":{"length":3016,"function_hash":"3470432030323827792816714816650716441"},"signature_version":"v1"},{"deprecated":false,"target":{"file":"src/main/java/com/mxgraph/online/ExportProxyServlet.java"},"signature_type":"Line","source":"https://github.com/jgraph/drawio/commit/7764b250b3fa58b249542f4ff9a1ddc1362cf88c","id":"CVE-2022-1784-858082ce","digest":{"threshold":0.9,"line_hashes":["180789272238244288546885001159271359949","35576192044945825610945977641434497820","286057194021406331277536662860577647221","145144166743551789640126777234910768992","127763540888710339522709995971009507454","144087697034028465105565213427273967484","286038511766407548094119659691304876209","129500328128567571566174713036663817513","162698813618815396437579258340202809780","146291267804270856671916501344545440391","102661168528056376882772607372740022320","208826711001461125558892366335601625545","54786466570422448016311892460334479206","318595939416164664705339692112840221498","271741185719755941364946033898624548244","58309677891053095897723189305161979057","287194681247123779929590522274904203194","190927463681890302172105857806332304180","159780486195996373252547770977710675992","44508411518177931148226608077701599943","176870581368344016742565590360054484472","110834984155899692656040922022957841279","186579475507125839232233720476338010460","334397718876559959214862611267771088499","232236997220001653037499704676116962415","196566159410292047634061509657425327252","204482836948174099854766568327856530407","228102606815755805156897395921656578528","94995035060860162361008570587378076588","259721208675597745732795153025920448540","238516084744943187119487515595432663645","202952381627886200536577347517238034490","129368209869612971086055276425946219226","230037888378387187467115200048739037754","6040878792464258416926057937804399669","7231799929955217456584553179456876220","3906867256528341624840439729056254871","90722363254520543123263301807229938039","76226048029242824433048297436895680488","279501690996635782145587607285290504418","327457116756788831173299487039111900215","164688692059100785015039194434199670057","332965126459094885204648927856353166357","121113848624103954163861293995490988782","256584730705082943921705964095167031707","173656646453873081731516793416227958011","16943000253174070185296231346429311068","210333819771662114905929922521798371669","82087793567371661822685999613813830125","250345135886828214717995121070873313755","193826165006346730585559538157299064484","279678543001973130108289432920160428897","166426737182648385677347908556237932627","158811272773840270633614979510879969735","203778720794641776145876534706527598700","248413974318791041844509613846285596095","252120898774353079211419466597201560472","188703969363170306522781397241327433190","291227460890305711550138595246611657874","198045077996250436377393995630245671075","66297509349135122153871298275541919900","111661124633551421297185630779856032414","323765386161091670261534948977227502003","196406240586289300479422337029405334649","323828328798069546993459057595687148658","115878703066402673828258939684273350187","115071155878487152912141294446074418553","332958522749897577062306038630485633378","127504776107964746004507466818105359910","170218878819474744747104534078970723964","337598614380689348659032556663164506680","19920731631372957073566266019235807085","236603204837148997758348534517395911317","264174714697241987579306752054751460675","274698907838376447611083920365901430534","129328837029650232510635198241430507392","16296664584125957667841435669447351929","175178962214410847671789519937661763578","149461555108201031447751555994766775690","330911002109948927603074364395060704203","227860339646915601551346296985972894781","69651625364123870870833175423048988013","143554575397187256015146813388839094984","117297673001589629488762075376968453294","127989983803354714406801666073925867823","30678149260047684922933458445743701585","227238461897077151596886549216689949866","158830202716706154651874617594214996908","229425674174397765507716058200994374144","332397412076253457948538207641082953171","156541816440903427579734756043913386458","157321624749754242831662502277357657404","254726490993926656970938310091473555137","216447204900139475288577614335181638155","181520163800648525970109299726197207854","316586550690165261923997593964053900955","891362101161686083317143823218144124","114310913277922599223130107120555825721","270762089547866589191212745369012767906","262991063660225457553145497096656066602","28838877459960843556065310517173572130","301713173435540519932147209929618554344","32455770526702646300553596552012434104","13071425363648720382645790295563186061","235277657237514622051043815640350801291","101505522906191282901935590549903833294","113996744890744225708490912485601192225","184215555875474340990267261107832602732","239949367949382826509812465381542053497","268929327370548486082556554130045817776","323708585643746563571220688121069169802","264080462300817536752816275490712152474","129660322191932285280370713765259388846","185981907262258561586469956177423482316","112454836419808723484603088438632862485","212299809272721334622306312291583106860","336441530868707728516507028002201602400","252843623496135436618627970490248565538","220643483812869713568587090576623608961","198352896266400003370050275935100837296"]},"signature_version":"v1"},{"deprecated":false,"target":{"function":"doRequest","file":"src/main/java/com/mxgraph/online/ExportProxyServlet.java"},"signature_type":"Function","source":"https://github.com/jgraph/drawio/commit/7764b250b3fa58b249542f4ff9a1ddc1362cf88c","id":"CVE-2022-1784-db208c46","digest":{"length":1844,"function_hash":"242663239086281051145779215156174345331"},"signature_version":"v1"},{"deprecated":false,"target":{"function":"doPost","file":"src/main/java/com/mxgraph/online/ExportProxyServlet.java"},"signature_type":"Function","source":"https://github.com/jgraph/drawio/commit/7764b250b3fa58b249542f4ff9a1ddc1362cf88c","id":"CVE-2022-1784-e8fc4ac5","digest":{"length":124,"function_hash":"306506598867460969483449000757569771570"},"signature_version":"v1"},{"deprecated":false,"target":{"file":"src/main/java/com/mxgraph/online/EmbedServlet2.java"},"signature_type":"Line","source":"https://github.com/jgraph/drawio/commit/7764b250b3fa58b249542f4ff9a1ddc1362cf88c","id":"CVE-2022-1784-ec8ede72","digest":{"threshold":0.9,"line_hashes":["77660314934475400226812239381487105310","233914783057599907772009556776386666840","24117070879632851745740539360080522053","80043874342951353709192771977052120855","62688104822552041593747328114964531183","18369351265220543409230636377725756706","200322263589444649926294089560603405999","247204129510381087036685007189790624922"]},"signature_version":"v1"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-1784.json","vanir_signatures_modified":"2026-04-10T15:37:50Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}