Wallos versions 4.8.4 and prior suffer from an SSRF vulnerability (CWE-918) due to an incomplete fix. While webhook URLs are validated via gethostbyname(), the application passes the original hostname to cURL without using CURLOPT_RESOLVE pinning on 10 out of 11 outbound HTTP endpoints. This discrepancy allows a DNS rebinding TOCTOU attack window, enabling an attacker to manipulate DNS resolution between validation and request execution. The vulnerability has a CVSS 3.1 score of 7.7, indicating high severity. No patches or vendor advisories providing remediation are available at this time.

Successful exploitation of this SSRF vulnerability could allow an attacker to make the Wallos server send HTTP requests to unintended internal or external resources by exploiting the DNS rebinding TOCTOU window. The CVSS score indicates high impact on confidentiality, with no impact on integrity or availability reported. There are no known exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is available, users should monitor vendor communications for updates. Until a patch is released, consider restricting outbound HTTP requests from Wallos or implementing network-level controls to limit potential SSRF exploitation.