FlowIntel versions up to 3.3.0 contain a server‑side request forgery (SSRF) flaw in the external reference URL probe implemented in app/case/task.py. An attacker who can supply an external reference URL can cause the application server to send an HTTP HEAD request to the attacker‑specified destination. Because the application performs insufficient validation of the URL scheme and of the resolved destination address, the server may request resources on loopback, link‑local, private, reserved, or otherwise restricted network addresses. This opens the possibility of the server accessing internal services or cloud metadata endpoints that would normally be out of reach from the outside world.

The vulnerability affects deployments of the FlowIntel product whose version is 3.3.0 or earlier. Any installation that still uses the default external reference URL probe without applying the vendor's fix is thus susceptible to exploitation.

The CVSS score for this flaw is 6.2 and it is not listed in the CISA KEV catalog. EPSS information is unavailable. Based on the description, it is inferred that the attack vector is remote and occurs via the web interface where an attacker can submit a crafted URL. If the application is exposed to untrusted users, the likelihood of exploitation is elevated, because the attacker does not need elevated privileges on the server. The flaw enables the server to reach internal network resources, which could allow reconnaissance of internal services or acquisition of cloud metadata, depending on the target environment’s network segmentation.