{"uuid": "84e5c849-30e4-4723-87f5-e3d538f536a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-8q6q-m837-fv64", "type": "seen", "source": "https://gist.github.com/alon710/93e1535b55e3d3a6b392785e4c9401da", "content": "# GHSA-8Q6Q-M837-FV64: GHSA-8Q6Q-M837-FV64: Authenticated Server-Side Request Forgery in Koel\n\n&gt; **CVSS Score:** 6.4\n&gt; **Published:** 2026-07-15\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-8Q6Q-M837-FV64\n\n## Summary\nA Server-Side Request Forgery (SSRF) vulnerability in the open-source personal music streaming server Koel allows authenticated Subsonic API users to perform unauthorized network queries. This flaw resides in both the Subsonic podcast feed import routine and the subsequent redirect handling inside the podcast streaming helper, exposing private local networks and internal loopback systems to unauthorized reconnaissance and interaction.\n\n## TL;DR\nAuthenticated Subsonic API users can exploit SSRF vectors in Koel &lt;= 9.6.0 to scan internal networks, loopback interfaces, and cloud metadata resources via unvalidated podcast feed imports and redirect-following stream helpers.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-918\n- **Attack Vector**: Network\n- **CVSS**: 6.4\n- **Impact**: Blind SSRF, Internal Port Scanning, Information Disclosure\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Koel streaming server\n- **phanan/koel**: &lt;= 9.6.0 (Fixed in: `9.7.0`)\n\n## Mitigation\n\n- Upgrade Koel to version 9.7.0 or above\n- Configure network firewall egress rules to block private IP space from the Koel host\n- Implement WAF signatures to validate URL parameters on Subsonic API endpoints\n\n**Remediation Steps:**\n1. Inspect the running Koel version and verify if it is &lt;= 9.6.0.\n2. Apply the patch release 9.7.0 using composer and standard deployment routines.\n3. Confirm that requests to local addresses inside Subsonic API endpoints are rejected with a validation error.\n\n## References\n\n- [GHSA-8Q6Q-M837-FV64 Advisory Details](https://github.com/advisories/GHSA-8Q6Q-M837-FV64)\n- [Koel Repository Advisory](https://github.com/koel/koel/security/advisories/GHSA-8q6q-m837-fv64)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-8Q6Q-M837-FV64) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-15T18:32:06.657351Z"}