Thanks for the report. Please provide exact environment and reproduction steps.

I am unable to get embed2servlet working locally but I can confirm that the drawdotio appspot which runs 18.0.7 does follow redirects. I tested with fe80::1 and I can reproduce the long loading time which I observed in the link-local bypass.

Are you saying fe80::1 is an internal IP address?

What I mean is that fe80::1 is included in the link-local filter in https://github.com/jgraph/drawio/blob/7a68ebe22a64fe722704e9c4527791209fee2034/src/main/java/com/mxgraph/online/Utils.java#L511, if it was being properly filtered, the request will not take so long. But it did.

I did that as I cannot interact with embed2.js on my Docker instance locally and the only way to prove that it is not being filtered is via the main site.

*embed2.js returns an error on the local Docker instance.

Updated report with more details. Embed2Servlet uses the url.openConnection in https://github.com/jgraph/drawio/blob/7a68ebe22a64fe722704e9c4527791209fee2034/src/main/java/com/mxgraph/online/EmbedServlet2.java#L400. The initial URL passed is checked against, but since url.openConnection follows redirects by default, the filter is not used for the redirection URLs. Hence, it is possible to perform SSRF this way.

Redirects are not followed by default, which version of the code are you looking at?

They are, https://drawdotio.appspot.com/embed2.js?fetch=https://httpbin.org/redirect-to%3Furl=https://example.com will return URL encoded form of example.com

ah, so setInstanceFollowRedirects is true by default? Ouch.

Yes, and the redirections are not being checked.