{"id":"CVE-2020-8902","details":"Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.","aliases":["GHSA-xr9h-9m79-x29g"],"modified":"2025-11-20T11:31:49.159249Z","published":"2021-02-23T12:15:12.600Z","references":[{"type":"WEB","url":"https://github.com/GoogleChrome/rendertron/releases/tag/3.0.0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/googlechrome/rendertron","events":[{"introduced":"0"},{"fixed":"8951beb3890b44a479676f128eb4c77857db6d8c"}]}],"versions":["rendertron-middleware@0.1.3","rendertron-middleware@0.1.4","rendertron-middleware@0.1.5","v1.1.0","v2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8902.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}