GHSA-JR4P-4XJH-FWVW

Vulnerability from github – Published: 2026-07-15 18:21 – Updated: 2026-07-15 18:21
VLAI
Summary
Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail
Details

Summary

Koel v9.5.0 contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL — still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts.

This is a blind SSRF: the response body is never returned to the client, but the two distinct validation error messages form a reliable internal-network reachability oracle.

Severity

Medium — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)

Authenticated (low-privilege) actor; blind SSRF (no response-body exfiltration). Confidentiality (L) reflects the internal reachability oracle; Integrity (L) reflects state-changing internal endpoints that act on GET/HEAD.

Affected Component

  • Version: Koel v9.5.0 (latest release, HEAD b2e9a34, verified 2026-05-30)
  • Endpoint: POST /api/radio/stations
  • Files:
  • app/Http/Requests/API/Radio/RadioStationStoreRequest.php (missing bail)
  • app/Rules/HasAudioContentType.php (unguarded HTTP fetch)

Root Cause

app/Http/Requests/API/Radio/RadioStationStoreRequest.php (lines 25-34):

'url' => [
    'required',
    'url',
    Rule::unique('radio_stations')->where(function ($query) {
        return $query->where('user_id', $this->user()->id);
    }),
    new SafeUrl(),
    new HasAudioContentType(),
],

In Laravel, validation rules within a single attribute run in sequence and do not stop on the first failure unless bail is present or FormRequest::$stopOnFirstFailure is set. Neither is the case here (App\Http\Requests\Request does not override stopOnFirstFailure, and authorize() simply returns true).

For a directly-supplied private/reserved address (e.g. http://169.254.169.254, http://127.0.0.1:6379, http://192.168.0.1):

  1. SafeUrl (app/Rules/SafeUrl.php lines 45-49) calls isPublicHost($uri->host()), fails it, calls $fail(...) and returns. SafeUrl itself does not make a request in this path — good.
  2. Because there is no bail, validation continues to HasAudioContentType.
  3. HasAudioContentType::resolveContentType() (app/Rules/HasAudioContentType.php lines 41-57) issues the request with no IP/host validation of its own:

    private function resolveContentType(string $url): string { try { $response = Http::head($url); // <-- SSRF if ($response->successful()) { return $response->header('Content-Type'); } } catch (Throwable) { }

    // Falls back to a streaming GET
    $response = Http::withHeaders(['Icy-MetaData' => '1'])
        ->withOptions(['stream' => true])
        ->get($url);                               // <-- SSRF
    return $response->header('Content-Type');
    

    }

The rule's own docblock (line 13-14) states "Should be used after SafeUrl to ensure the URL is safe to reach." — that assumption is silently violated by the missing bail.

Authorization Context

The endpoint is reachable by any authenticated user, not just admins:

  • routes/api.base.php line 108 wraps the route group in Route::middleware('auth') only.
  • routes/api.base.php line 268: Route::apiResource('stations', RadioStationController::class).
  • RadioStationController::store() (lines 31-37) carries only #[DisabledInDemo] — no $this->authorize(...), no #[RequiresPlus], no permission check.

Reachability Oracle (Information Disclosure)

HasAudioContentType::validate() returns two distinct messages:

  • Host unreachable / request throws → "The url couldn't be reached." (line 26)
  • Host reachable but Content-Type is not audio/* → "The url doesn't look like a valid radio station URL." (line 32)

By diffing these responses an attacker can enumerate which internal hosts/ports are live behind the firewall (internal host discovery and coarse port scanning).

Proof of Concept

As any regular authenticated user:

POST /api/radio/stations HTTP/1.1
Host: koel.example.com
Authorization: Bearer <regular_user_token>
Content-Type: application/json

{
  "name": "probe",
  "url": "http://127.0.0.1:6379"
}
  • If the internal service answers → "The url doesn't look like a valid radio station URL."
  • If nothing is listening → "The url couldn't be reached."

The server has now issued a HEAD and a streaming GET to 127.0.0.1:6379 despite SafeUrl having rejected it.

Impact

  • Blind SSRF: server-side HEAD/GET to attacker-chosen internal addresses. The response body is never returned to the client, so this cannot directly exfiltrate content (e.g. cloud-metadata bodies).
  • Internal reachability oracle: reliable live-host / open-port discovery via the two distinct error strings.
  • Side-effect requests: any internal endpoint that performs a state-changing action on GET/HEAD can be triggered.

Note on scope: because SafeUrl calls $fail() for a private host, the overall request validation fails (Laravel aggregates all rule failures; a single failure yields a 422), so RadioStationController::store() never runs and no station is persisted. The impact is therefore limited to the out-of-band HEAD/GET requests issued by HasAudioContentType during validation, plus the reachability oracle — it does not chain into a stored station or into the authenticated radio stream proxy via this path.

Recommended Fix

Add bail so HasAudioContentType only runs after SafeUrl passes, restoring the rule's documented precondition:

'url' => [
    'required',
    'url',
    'bail',
    Rule::unique('radio_stations')->where(/* ... */),
    new SafeUrl(),
    new HasAudioContentType(),
],

(Place bail before SafeUrl/HasAudioContentType; the unique check is local DB only and safe to keep ahead of it if preferred.)

Defense in depth

Have HasAudioContentType::resolveContentType() re-validate the host with Network::isPublicHost() (or reuse Network::isSafeUrl()) before issuing any request, so the rule is safe regardless of ordering. The same Network helper is already used by PodcastService for enclosure URLs.

Relationship to CVE-2026-47260

CVE-2026-47260 addressed SSRF via podcast episode enclosure URLs; the current code guards that sink in app/Services/Podcast/PodcastService.php (line 143) with Network::isSafeUrl(). The radio-station path relies instead on the SafeUrl validation rule, but the missing bail lets the adjacent HasAudioContentType fetch run anyway — leaving an SSRF reachable from the same class of untrusted, user-supplied URLs. I have not been able to confirm the exact upstream fix commit for CVE-2026-47260 from the release tarball, so I am presenting this as an independent finding rather than asserting it is the same code change.

Disclosure

  • 2026-05-30: Identified via source review of v9.5.0 (b2e9a34).
  • Verified entirely by source inspection (route middleware, controller, FormRequest base class, and both validation rules). No live PoC was executed against a third-party host.

If the maintainers agree this is a distinct issue, would you consider requesting a CVE identifier for it through GitHub Security Advisories? Happy to provide any further detail or testing.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.7.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phanan/koel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-15T18:21:04Z",
    "nvd_published_at": "2026-06-12T20:16:47Z",
    "severity": "MODERATE"
  },
  "details": "Summary\n\nKoel v9.5.0 contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule \u2014 which issues HTTP requests to the supplied URL \u2014 still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts.\n\nThis is a blind SSRF: the response body is never returned to the client, but the two distinct validation error messages form a reliable internal-network reachability oracle.\n\nSeverity\n\nMedium \u2014 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)\n\nAuthenticated (low-privilege) actor; blind SSRF (no response-body exfiltration). Confidentiality (L) reflects the internal reachability oracle; Integrity (L) reflects state-changing internal endpoints that act on GET/HEAD.\n\nAffected Component\n\n- Version: Koel v9.5.0 (latest release, HEAD b2e9a34, verified 2026-05-30)\n- Endpoint: POST /api/radio/stations\n- Files:\n  - app/Http/Requests/API/Radio/RadioStationStoreRequest.php (missing bail)\n  - app/Rules/HasAudioContentType.php (unguarded HTTP fetch)\n\nRoot Cause\n\napp/Http/Requests/API/Radio/RadioStationStoreRequest.php (lines 25-34):\n\n    \u0027url\u0027 =\u003e [\n        \u0027required\u0027,\n        \u0027url\u0027,\n        Rule::unique(\u0027radio_stations\u0027)-\u003ewhere(function ($query) {\n            return $query-\u003ewhere(\u0027user_id\u0027, $this-\u003euser()-\u003eid);\n        }),\n        new SafeUrl(),\n        new HasAudioContentType(),\n    ],\n\nIn Laravel, validation rules within a single attribute run in sequence and do not stop on the first failure unless bail is present or FormRequest::$stopOnFirstFailure is set. Neither is the case here (App\\Http\\Requests\\Request does not override stopOnFirstFailure, and authorize() simply returns true).\n\nFor a directly-supplied private/reserved address (e.g. http://169.254.169.254, http://127.0.0.1:6379, http://192.168.0.1):\n\n1. SafeUrl (app/Rules/SafeUrl.php lines 45-49) calls isPublicHost($uri-\u003ehost()), fails it, calls $fail(...) and returns. SafeUrl itself does not make a request in this path \u2014 good.\n2. Because there is no bail, validation continues to HasAudioContentType.\n3. HasAudioContentType::resolveContentType() (app/Rules/HasAudioContentType.php lines 41-57) issues the request with no IP/host validation of its own:\n\n    private function resolveContentType(string $url): string\n    {\n        try {\n            $response = Http::head($url);              // \u003c-- SSRF\n            if ($response-\u003esuccessful()) {\n                return $response-\u003eheader(\u0027Content-Type\u0027);\n            }\n        } catch (Throwable) { }\n    \n        // Falls back to a streaming GET\n        $response = Http::withHeaders([\u0027Icy-MetaData\u0027 =\u003e \u00271\u0027])\n            -\u003ewithOptions([\u0027stream\u0027 =\u003e true])\n            -\u003eget($url);                               // \u003c-- SSRF\n        return $response-\u003eheader(\u0027Content-Type\u0027);\n    }\n\nThe rule\u0027s own docblock (line 13-14) states \"Should be used after SafeUrl to ensure the URL is safe to reach.\" \u2014 that assumption is silently violated by the missing bail.\n\nAuthorization Context\n\nThe endpoint is reachable by any authenticated user, not just admins:\n\n- routes/api.base.php line 108 wraps the route group in Route::middleware(\u0027auth\u0027) only.\n- routes/api.base.php line 268: Route::apiResource(\u0027stations\u0027, RadioStationController::class).\n- RadioStationController::store() (lines 31-37) carries only #[DisabledInDemo] \u2014 no $this-\u003eauthorize(...), no #[RequiresPlus], no permission check.\n\nReachability Oracle (Information Disclosure)\n\nHasAudioContentType::validate() returns two distinct messages:\n\n- Host unreachable / request throws \u2192 \"The url couldn\u0027t be reached.\" (line 26)\n- Host reachable but Content-Type is not audio/* \u2192 \"The url doesn\u0027t look like a valid radio station URL.\" (line 32)\n\nBy diffing these responses an attacker can enumerate which internal hosts/ports are live behind the firewall (internal host discovery and coarse port scanning).\n\nProof of Concept\n\nAs any regular authenticated user:\n\n    POST /api/radio/stations HTTP/1.1\n    Host: koel.example.com\n    Authorization: Bearer \u003cregular_user_token\u003e\n    Content-Type: application/json\n    \n    {\n      \"name\": \"probe\",\n      \"url\": \"http://127.0.0.1:6379\"\n    }\n\n- If the internal service answers \u2192 \"The url doesn\u0027t look like a valid radio station URL.\"\n- If nothing is listening \u2192 \"The url couldn\u0027t be reached.\"\n\nThe server has now issued a HEAD and a streaming GET to 127.0.0.1:6379 despite SafeUrl having rejected it.\n\nImpact\n\n- Blind SSRF: server-side HEAD/GET to attacker-chosen internal addresses. The response body is never returned to the client, so this cannot directly exfiltrate content (e.g. cloud-metadata bodies).\n- Internal reachability oracle: reliable live-host / open-port discovery via the two distinct error strings.\n- Side-effect requests: any internal endpoint that performs a state-changing action on GET/HEAD can be triggered.\n\nNote on scope: because SafeUrl calls $fail() for a private host, the overall request validation fails (Laravel aggregates all rule failures; a single failure yields a 422), so RadioStationController::store() never runs and no station is persisted. The impact is therefore limited to the out-of-band HEAD/GET requests issued by HasAudioContentType during validation, plus the reachability oracle \u2014 it does not chain into a stored station or into the authenticated radio stream proxy via this path.\n\nRecommended Fix\n\nAdd bail so HasAudioContentType only runs after SafeUrl passes, restoring the rule\u0027s documented precondition:\n\n    \u0027url\u0027 =\u003e [\n        \u0027required\u0027,\n        \u0027url\u0027,\n        \u0027bail\u0027,\n        Rule::unique(\u0027radio_stations\u0027)-\u003ewhere(/* ... */),\n        new SafeUrl(),\n        new HasAudioContentType(),\n    ],\n\n(Place bail before SafeUrl/HasAudioContentType; the unique check is local DB only and safe to keep ahead of it if preferred.)\n\nDefense in depth\n\nHave HasAudioContentType::resolveContentType() re-validate the host with Network::isPublicHost() (or reuse Network::isSafeUrl()) before issuing any request, so the rule is safe regardless of ordering. The same Network helper is already used by PodcastService for enclosure URLs.\n\nRelationship to CVE-2026-47260\n\nCVE-2026-47260 addressed SSRF via podcast episode enclosure URLs; the current code guards that sink in app/Services/Podcast/PodcastService.php (line 143) with Network::isSafeUrl(). The radio-station path relies instead on the SafeUrl validation rule, but the missing bail lets the adjacent HasAudioContentType fetch run anyway \u2014 leaving an SSRF reachable from the same class of untrusted, user-supplied URLs. I have not been able to confirm the exact upstream fix commit for CVE-2026-47260 from the release tarball, so I am presenting this as an independent finding rather than asserting it is the same code change.\n\nDisclosure\n\n- 2026-05-30: Identified via source review of v9.5.0 (b2e9a34).\n- Verified entirely by source inspection (route middleware, controller, FormRequest base class, and both validation rules). No live PoC was executed against a third-party host.\n\nIf the maintainers agree this is a distinct issue, would you consider requesting a CVE identifier for it through GitHub Security Advisories? Happy to provide any further detail or testing.",
  "id": "GHSA-jr4p-4xjh-fwvw",
  "modified": "2026-07-15T18:21:04Z",
  "published": "2026-07-15T18:21:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50552"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koel/koel/pull/2549"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koel/koel/commit/5f6ce2cefd08f437a269236b677ad971517ccbb6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/koel/koel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koel/koel/releases/tag/v9.7.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…