GHSA-3JVJ-V6W2-H948

Vulnerability from github – Published: 2026-04-24 15:22 – Updated: 2026-05-13 13:34
VLAI?
Summary
Lemmy has SSRF in /api/v3/post via Webmention dispatch
Details

Summary

Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target.

The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services.

Details

The entry point is the normal post creation API. The user-controlled url field is accepted, normalized with diesel_url_create(), and only validated with is_valid_url(). That validation allows http and https but does not implement internal address rejection.

The post creation flow then schedules Webmention delivery for public communities. This creates a direct source-to-sink path from an externally supplied post URL to a server-side outbound HTTP request.

Core vulnerable code path:

// crates/api_crud/src/post/create.rs
let url = diesel_url_create(data.url.as_deref())?;
if let Some(url) = &url {
  is_url_blocked(url, &url_blocklist)?;
  is_valid_url(url)?;
}

// crates/utils/src/utils/validation.rs
pub fn is_valid_url(url: &Url) -> LemmyResult<()> {
  let is_valid = ["http", "https", "magnet"].contains(&url.scheme());
  if !is_valid {
    Err(LemmyErrorType::InvalidUrl)?
  }
  Ok(())
}

// crates/api_crud/src/post/create.rs
if community.visibility == CommunityVisibility::Public {
  let post = inserted_post.clone();
  let url = url.clone();
  spawn_try_task(async move {
    if let Some(url) = url {
      Webmention::new(post.ap_id.clone().into(), url.into()).send().await?;
    }
    Ok(())
  });
}

These snippets matter because they show that the attacker controls CreatePost.url, the only validation is scheme-level, and the resulting URL is later used for server-side Webmention delivery.

PoC

_Complete instructions, including specific configuration details, to reproduce the vulnerability._Prerequisites:

  • The attacker has a valid low-privileged account.
  • The attacker can post to a public community.

Practical reproduction flow:

  1. Run an HTTP listener on an internal or loopback-reachable address from the Lemmy server's perspective, such as 127.0.0.1:8081.
  2. Authenticate as a normal user.
  3. Submit a post to a public community with url set to the internal target.
  4. Observe the Lemmy API return a normal post creation response.
  5. Observe the internal HTTP listener receive a request from the Lemmy server shortly afterwards.

Complete PoC:

POST /api/v3/post HTTP/1.1
Host: victim.example
Authorization: Bearer <low-priv-jwt>
Content-Type: application/json

{
  "name": "wm-ssrf",
  "community_id": 1,
  "url": "http://127.0.0.1:8081/",
  "body": null,
  "alt_text": null,
  "honeypot": null,
  "nsfw": false,
  "language_id": null,
  "custom_thumbnail": null
}

Outcome:

  • The API returns a successful post_view response.
  • The Lemmy server later issues an outbound request toward http://127.0.0.1:8081/ as part of Webmention processing.

Impact

An authenticated user can use the application server as a blind SSRF primitive against internal HTTP services. This can expose internal network reachability, trigger internal webhooks or administrative endpoints, and expand the attack surface beyond the public deployment boundary.

Because the sink is reached after ordinary user content submission, the issue is practical to exploit in real deployments where normal users can post to public communities.

Severity ?
6.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "lemmy_api_common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.19.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T15:22:49Z",
    "nvd_published_at": "2026-05-08T20:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nLemmy allows an authenticated low-privileged user to create a link post through `POST /api/v3/post`. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target.\n\nThe submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services.\n\n### Details\nThe entry point is the normal post creation API. The user-controlled `url` field is accepted, normalized with `diesel_url_create()`, and only validated with `is_valid_url()`. That validation allows `http` and `https` but does not implement internal address rejection.\n\nThe post creation flow then schedules Webmention delivery for public communities. This creates a direct source-to-sink path from an externally supplied post URL to a server-side outbound HTTP request.\n\nCore vulnerable code path:\n\n```rust\n// crates/api_crud/src/post/create.rs\nlet url = diesel_url_create(data.url.as_deref())?;\nif let Some(url) = \u0026url {\n  is_url_blocked(url, \u0026url_blocklist)?;\n  is_valid_url(url)?;\n}\n```\n\n```rust\n// crates/utils/src/utils/validation.rs\npub fn is_valid_url(url: \u0026Url) -\u003e LemmyResult\u003c()\u003e {\n  let is_valid = [\"http\", \"https\", \"magnet\"].contains(\u0026url.scheme());\n  if !is_valid {\n    Err(LemmyErrorType::InvalidUrl)?\n  }\n  Ok(())\n}\n```\n\n```rust\n// crates/api_crud/src/post/create.rs\nif community.visibility == CommunityVisibility::Public {\n  let post = inserted_post.clone();\n  let url = url.clone();\n  spawn_try_task(async move {\n    if let Some(url) = url {\n      Webmention::new(post.ap_id.clone().into(), url.into()).send().await?;\n    }\n    Ok(())\n  });\n}\n```\n\nThese snippets matter because they show that the attacker controls `CreatePost.url`, the only validation is scheme-level, and the resulting URL is later used for server-side Webmention delivery.\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._Prerequisites:\n\n- The attacker has a valid low-privileged account.\n- The attacker can post to a public community.\n\nPractical reproduction flow:\n\n1. Run an HTTP listener on an internal or loopback-reachable address from the Lemmy server\u0027s perspective, such as `127.0.0.1:8081`.\n2. Authenticate as a normal user.\n3. Submit a post to a public community with `url` set to the internal target.\n4. Observe the Lemmy API return a normal post creation response.\n5. Observe the internal HTTP listener receive a request from the Lemmy server shortly afterwards.\n\nComplete PoC:\n\n```http\nPOST /api/v3/post HTTP/1.1\nHost: victim.example\nAuthorization: Bearer \u003clow-priv-jwt\u003e\nContent-Type: application/json\n\n{\n  \"name\": \"wm-ssrf\",\n  \"community_id\": 1,\n  \"url\": \"http://127.0.0.1:8081/\",\n  \"body\": null,\n  \"alt_text\": null,\n  \"honeypot\": null,\n  \"nsfw\": false,\n  \"language_id\": null,\n  \"custom_thumbnail\": null\n}\n```\n\nOutcome:\n\n- The API returns a successful `post_view` response.\n- The Lemmy server later issues an outbound request toward `http://127.0.0.1:8081/` as part of Webmention processing.\n### Impact\nAn authenticated user can use the application server as a blind SSRF primitive against internal HTTP services. This can expose internal network reachability, trigger internal webhooks or administrative endpoints, and expand the attack surface beyond the public deployment boundary.\n\nBecause the sink is reached after ordinary user content submission, the issue is practical to exploit in real deployments where normal users can post to public communities.",
  "id": "GHSA-3jvj-v6w2-h948",
  "modified": "2026-05-13T13:34:08Z",
  "published": "2026-04-24T15:22:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42180"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LemmyNet/lemmy/commit/1f06693b708020c5c3a3752bd2f1c6006a75e9bc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/LemmyNet/lemmy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Lemmy has SSRF in /api/v3/post via Webmention dispatch"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.