BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
LOW PRIORITY FIX Monitor
This vulnerability is not widely exploited.
No urgency. Patch when a fix becomes available.

follow-redirects SSRF

Server-side request forgery via crafted redirect URLs

Severity CVSS MEDIUM 5.9
Exploitation Shoulder No known exploits
Fix available No patch yet
CVE-2022-0536 npm / follow-redirects

Should I care?

This matters if:
  • Apps making HTTP requests based on user-supplied URLs
  • Webhook or callback URL features
Not relevant if:
  • No outbound HTTP calls use user input
  • All URLs are validated against an allowlist

How to fix

How it breaks apps

1 User-supplied URL is fetched
2 Server makes internal request
3 Attacker reaches internal services
4 Internal network scanning or data leak

Affected packages

npm follow-redirects 108.6M weekly downloads
1.6K dependents

Is this in your code?

Shoulder scans your codebase and tells you if CVE-2022-0536 is reachable — not just present.

npx @shoulderdev/cli trust .
Technical details

Risk by Environment

Production (public-facing) MEDIUM
Schedule patch in next sprint.
Staging LOW
Patch when convenient.
Internal services LOW
Low priority unless handling sensitive data.
Local dev only LOW
Minimal concern for isolated environments.

AI Development Risk

This vulnerability pattern is commonly introduced when AI generates code.

CWE-918
Server-side request forgery
LLMs frequently generate HTTP client code that follows redirects and fetches arbitrary URLs without validation.

Detection Rules 4 rules

CWE-918 4 rules

Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)
SSRF in Next.js Server Actions
Server-Side Request Forgery via HTTP Requests

External References

NVD View on NVD →
MITRE View on MITRE →
Back to Ecosystem Intelligence Browse CWE Index