The module description states "This module may be vulnerable to SSRF attacks.".
I understand that this is an expected tradeoff and the module should probably only be enabled on fields filled by trusted users.
1. Enable the module
2. As a user with "administer stop broken link in body" permission, browse to /admin/config/system/stop-broken-link-in-body.
3. You are able to add fields that are used to check broken links.
If you add fields that can be filled by untrusted users, it can allow these users to trigger an SSRF attack.
I think the "administer stop broken link in body" permission should have "restrict access", because it allows choosing in which fields the module checks for broken links.
(This issue has been discussed privately with the security team and they agreed it could be handled publicly.)
Active
2.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.