{
  "variant_id": "CVE-2026-57947-webhook-ssrf-bypass-matrix",
  "created_at": "2026-07-05T10:55:00Z",
  "variant_summary": "No distinct SSRF bypass or alternate trigger found for the Pinpoint webhook SSRF vulnerability. The upstream fix (f683a24b4f) blocks all tested private-target variants via registration-time URL validation and send-time DNS-resolution validation.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/pinpoint-apm/pinpoint.git",
  "submitted_target": {
    "target_kind": "git_tag",
    "version": "3.1.0",
    "ref": "v3.1.0",
    "display": "pinpoint v3.1.0 (e3940e516c)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "f683a24b4fb10c6a850a10476ee2502129bb03e2",
    "version": "master",
    "ref": "f683a24b4f",
    "display": "pinpoint master f683a24b4f [#13857] Add webhook SSRF validation (latest master f59a5468ae)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "POST /api/webhook or /api/application/webhook with a webhook URL payload; the variant search also considered the /api/alarmRule/includeWebhooks association endpoint and found it is not a URL entry point.",
  "attacker_controlled_input": "authenticated user registers a webhook URL intended to reach an internal/private host",
  "trigger_path": "WebhookController.validateURL() -> WebhookUrlValidator.validate() at registration; WebhookSenderImpl.sendWebhooks() -> WebhookUrlValidator.validateSyntax() + WebhookDnsResolver at send time",
  "observed_impact_class": "ssrf",
  "exploitability_confidence": "low",
  "evidence_scope": "source_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "fix_covers_surface",
  "blocking_mitigation": "The fix adds WebhookUrlValidator (strict scheme, host literal, IP-range, and authority validation) and WebhookDnsResolver (post-DNS IP-range validation with disabled redirects), which blocks all tested private-target URL variants before a request is sent.",
  "file_path": "webhook/src/main/java/com/navercorp/pinpoint/web/webhook/support/WebhookUrlValidator.java",
  "line_start": 1,
  "line_end": 283,
  "secondary_anchors": [
    {
      "file_path": "batch-alarmsender/src/main/java/com/navercorp/pinpoint/batch/alarm/sender/WebhookDnsResolver.java",
      "line_start": 1,
      "line_end": 62
    },
    {
      "file_path": "batch-alarmsender/src/main/java/com/navercorp/pinpoint/batch/alarm/AlarmSenderConfiguration.java",
      "line_start": 1,
      "line_end": 113
    },
    {
      "file_path": "webhook/src/main/java/com/navercorp/pinpoint/web/webhook/controller/WebhookController.java",
      "line_start": 1,
      "line_end": 120
    }
  ],
  "review_scope_paths": [
    "webhook/src/main/java/com/navercorp/pinpoint/web/webhook/support/WebhookUrlValidator.java",
    "webhook/src/main/java/com/navercorp/pinpoint/web/webhook/support/WebhookUrlValidatorTest.java",
    "batch-alarmsender/src/main/java/com/navercorp/pinpoint/batch/alarm/sender/WebhookDnsResolver.java",
    "batch-alarmsender/src/main/java/com/navercorp/pinpoint/batch/alarm/sender/WebhookDnsResolverTest.java",
    "batch-alarmsender/src/main/java/com/navercorp/pinpoint/batch/alarm/AlarmSenderConfiguration.java",
    "batch-alarmsender/src/main/java/com/navercorp/pinpoint/batch/alarm/AlarmSenderConfigurationTest.java",
    "batch-alarmsender/src/main/java/com/navercorp/pinpoint/batch/alarm/sender/WebhookSenderImpl.java",
    "webhook/src/main/java/com/navercorp/pinpoint/web/webhook/controller/WebhookController.java"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": ["bundle/vuln_variant/reproduction_steps.sh"]
  }
}
