GHSA-8Q6Q-M837-FV64

Vulnerability from github – Published: 2026-07-15 17:31 – Updated: 2026-07-15 17:31
VLAI
Summary
Koel has SSRF through Authenticated Subsonic podcast feed URLs
Details

Summary

Koel's Subsonic createPodcastChannel.view endpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the feed URL and cause the Koel backend to issue a request to that address.

A related redirect gap exists in the podcast stream helper: PodcastService::getStreamableUrl() validates only the original URL, then lets Guzzle follow redirects and accepts the final redirected URL without re-validating it.

Impact

An attacker with any valid Koel account and Subsonic API key can trigger server-side requests from the Koel host to loopback or internal network services. This can be used for blind SSRF against internal HTTP endpoints reachable by the Koel deployment. If an internal service returns valid RSS/XML or permissive CORS responses, parts of the response or final URL may be reflected back through normal podcast or stream behavior.

Reproduction

  1. Start Koel v9.6.0 or current main and create a normal user.
  2. Obtain the user's Subsonic API key.
  3. Start a local canary HTTP server on the Koel host at 127.0.0.1:8103 that records requests and returns this minimal RSS feed:
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <title>Internal Canary Feed</title>
    <link>https://example.com/</link>
    <description>Internal feed SSRF canary</description>
    <item>
      <title>Episode One</title>
      <guid>koel-internal-canary-episode-1</guid>
      <pubDate>Mon, 01 Jun 2026 12:00:00 GMT</pubDate>
      <enclosure url="https://example.com/episode.mp3" length="1" type="audio/mpeg" />
    </item>
  </channel>
</rss>
  1. Send an authenticated Subsonic request:
GET /rest/createPodcastChannel.view?apiKey=<SUBSONIC_API_KEY>&f=json&url=http://127.0.0.1:8103/feed.xml HTTP/1.1
Host: koel.example
  1. The endpoint returns a successful Subsonic response and the canary records a backend request:
GET /feed.xml

Unauthenticated control: the same request without a valid API key fails and does not hit the canary.

Redirect control for the stream helper: calling PodcastService::getStreamableUrl() with direct http://127.0.0.1:8102/secret returns null and makes no canary request. Calling it with a safe-looking public URL that redirects to http://127.0.0.1:8102/secret causes the backend to request OPTIONS /secret and returns the loopback final URL.

Root cause

app/Http/Requests/Subsonic/CreatePodcastChannelRequest.php validates url only as required|string|url. The controller passes it to PodcastService::addPodcast(), where PodcastService.php calls createParser($url) and Poddle::fromUrl($url, ...) before any Network::isSafeUrl() check. The enclosure URL guard in synchronizeEpisodes() runs later and only covers episode enclosure URLs, not the feed URL that was already fetched.

For streaming, PodcastService::getStreamableUrl() checks Network::isSafeUrl($url) on the original URL, then follows redirects with Guzzle and accepts the last redirect target from X-Guzzle-Redirect-History without validating that target.

Remediation

Validate the podcast feed URL with the same safe URL policy before Poddle::fromUrl() performs any request. Re-validate every redirect target before following it, or disable automatic redirects and manually fetch only targets that pass the safe URL policy. Apply the same redirect validation in getStreamableUrl(). Add regression tests for direct loopback and private IP feed URLs, DNS names resolving to private ranges, and public URL to loopback redirects.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.6.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phanan/koel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-15T17:31:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nKoel\u0027s Subsonic `createPodcastChannel.view` endpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the feed URL and cause the Koel backend to issue a request to that address.\n\nA related redirect gap exists in the podcast stream helper: `PodcastService::getStreamableUrl()` validates only the original URL, then lets Guzzle follow redirects and accepts the final redirected URL without re-validating it.\n\n## Impact\n\nAn attacker with any valid Koel account and Subsonic API key can trigger server-side requests from the Koel host to loopback or internal network services. This can be used for blind SSRF against internal HTTP endpoints reachable by the Koel deployment. If an internal service returns valid RSS/XML or permissive CORS responses, parts of the response or final URL may be reflected back through normal podcast or stream behavior.\n\n## Reproduction\n\n1. Start Koel v9.6.0 or current main and create a normal user.\n2. Obtain the user\u0027s Subsonic API key.\n3. Start a local canary HTTP server on the Koel host at `127.0.0.1:8103` that records requests and returns this minimal RSS feed:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003crss version=\"2.0\"\u003e\n  \u003cchannel\u003e\n    \u003ctitle\u003eInternal Canary Feed\u003c/title\u003e\n    \u003clink\u003ehttps://example.com/\u003c/link\u003e\n    \u003cdescription\u003eInternal feed SSRF canary\u003c/description\u003e\n    \u003citem\u003e\n      \u003ctitle\u003eEpisode One\u003c/title\u003e\n      \u003cguid\u003ekoel-internal-canary-episode-1\u003c/guid\u003e\n      \u003cpubDate\u003eMon, 01 Jun 2026 12:00:00 GMT\u003c/pubDate\u003e\n      \u003cenclosure url=\"https://example.com/episode.mp3\" length=\"1\" type=\"audio/mpeg\" /\u003e\n    \u003c/item\u003e\n  \u003c/channel\u003e\n\u003c/rss\u003e\n```\n\n4. Send an authenticated Subsonic request:\n\n```http\nGET /rest/createPodcastChannel.view?apiKey=\u003cSUBSONIC_API_KEY\u003e\u0026f=json\u0026url=http://127.0.0.1:8103/feed.xml HTTP/1.1\nHost: koel.example\n```\n\n5. The endpoint returns a successful Subsonic response and the canary records a backend request:\n\n```text\nGET /feed.xml\n```\n\nUnauthenticated control: the same request without a valid API key fails and does not hit the canary.\n\nRedirect control for the stream helper: calling `PodcastService::getStreamableUrl()` with direct `http://127.0.0.1:8102/secret` returns `null` and makes no canary request. Calling it with a safe-looking public URL that redirects to `http://127.0.0.1:8102/secret` causes the backend to request `OPTIONS /secret` and returns the loopback final URL.\n\n## Root cause\n\n`app/Http/Requests/Subsonic/CreatePodcastChannelRequest.php` validates `url` only as `required|string|url`. The controller passes it to `PodcastService::addPodcast()`, where `PodcastService.php` calls `createParser($url)` and `Poddle::fromUrl($url, ...)` before any `Network::isSafeUrl()` check. The enclosure URL guard in `synchronizeEpisodes()` runs later and only covers episode enclosure URLs, not the feed URL that was already fetched.\n\nFor streaming, `PodcastService::getStreamableUrl()` checks `Network::isSafeUrl($url)` on the original URL, then follows redirects with Guzzle and accepts the last redirect target from `X-Guzzle-Redirect-History` without validating that target.\n\n## Remediation\n\nValidate the podcast feed URL with the same safe URL policy before `Poddle::fromUrl()` performs any request. Re-validate every redirect target before following it, or disable automatic redirects and manually fetch only targets that pass the safe URL policy. Apply the same redirect validation in `getStreamableUrl()`. Add regression tests for direct loopback and private IP feed URLs, DNS names resolving to private ranges, and public URL to loopback redirects.",
  "id": "GHSA-8q6q-m837-fv64",
  "modified": "2026-07-15T17:31:12Z",
  "published": "2026-07-15T17:31:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/koel/koel/security/advisories/GHSA-8q6q-m837-fv64"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/koel/koel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koel/koel/releases/tag/v9.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": " Koel has SSRF through Authenticated Subsonic podcast feed URLs"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…