Eclipse BaSyx Java Server SDK versions before 2.0.0-milestone-10 contain a server-side request forgery vulnerability (CWE-918) due to improper validation of destination URIs in the Operation Delegation feature. An unauthenticated attacker can exploit this flaw to coerce the server into sending HTTP POST requests to arbitrary destinations, including internal network resources or cloud metadata services. This SSRF vulnerability has a CVSS 3.1 base score of 8.6, indicating high severity with network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact. The vulnerability is publicly disclosed but no official fix or patch is currently documented by the Eclipse Foundation. The affected versions include all versions prior to 2.0.0-milestone-10.

Successful exploitation allows an unauthenticated remote attacker to perform blind HTTP POST requests from the vulnerable BaSyx server to arbitrary internal or external targets. This can lead to bypassing network segmentation controls and potentially accessing sensitive internal IT/OT infrastructure or cloud metadata services, resulting in high confidentiality impact. There is no indication of integrity or availability impact. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting network access to the BaSyx server to trusted sources and monitor for unusual outbound HTTP requests. Avoid exposing the vulnerable versions to untrusted networks. Follow updates from the Eclipse Foundation for any forthcoming patches or official mitigations.