The article outlines a security analysis of PostHog, focusing on vulnerabilities related to server-side request forgery (SSRF). The author describes a hands-on approach to evaluating PostHog as a potential analytics solution, emphasizing the importance of understanding the product's architecture before diving into security assessments. After setting up PostHog locally, the author identified several SSRF vulnerabilities, including CVE-2024-9710 and CVE-2025-1521. The author zeroes in on CVE-2023-46746, which was initially detected by the GitHub Security CodeQL team and later patched. A key finding of the analysis is that while the webhook test endpoint imposes SSRF validation, the endpoint responsible for saving the webhook URL does not enforce the same checks. This oversight allows a malicious actor to bypass frontend validation by sending a direct PATCH request to store a webhook pointing to internal addresses, creating a persistent SSRF vulnerability. The article describes how triggering this vulnerability involves creating an action in PostHog that fires on any browser activity, allowing the Rust-based webhook worker to send requests to the saved internal URL without re-validation. The author provides technical details on the Rust webhook worker's code, specifically the `send_webhook` method, which sends HTTP requests to the configured webhook URLs. Since the worker does not validate the destination URL again after it has been saved, it trusts any internal URLs that were previously stored. This introduces the potential for remote code execution (RCE) through SSRF exploitation, emphasizing the need for robust validation mechanisms in applications that handle sensitive data and internal resources.