CVE-2025-53018 (GCVE-0-2025-53018)
Vulnerability from cvelistv5
Published
2025-06-27 13:00
Modified
2025-06-27 13:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose. Consequently, internal network resources—such as localhost services or cloud-provider metadata endpoints—become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53018",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T13:58:53.801963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:58:56.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Lychee",
"vendor": "LycheeOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 6.6.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application\u2019s backend to make HTTP requests to any URL they choose. Consequently, internal network resources\u2014such as localhost services or cloud-provider metadata endpoints\u2014become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:00:14.086Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v"
},
{
"name": "https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d"
}
],
"source": {
"advisory": "GHSA-cpgw-wgf3-xc6v",
"discovery": "UNKNOWN"
},
"title": "Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53018",
"datePublished": "2025-06-27T13:00:14.086Z",
"dateReserved": "2025-06-24T03:50:36.796Z",
"dateUpdated": "2025-06-27T13:58:56.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-53018\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-27T13:15:24.803\",\"lastModified\":\"2025-06-30T18:38:48.477\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application\u2019s backend to make HTTP requests to any URL they choose. Consequently, internal network resources\u2014such as localhost services or cloud-provider metadata endpoints\u2014become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"Lychee es una herramienta gratuita y de c\u00f3digo abierto para la gesti\u00f3n de fotos. Antes de la versi\u00f3n 6.6.13, exist\u00eda una vulnerabilidad cr\u00edtica de Server-Side Request Forgery (SSRF) en el endpoint `/api/v2/Photo::fromUrl`. Esta falla permite a un atacante indicar al backend de la aplicaci\u00f3n que realice solicitudes HTTP a cualquier URL. En consecuencia, se puede acceder a recursos internos de la red, como servicios de host local o endpoints de metadatos de proveedores de la nube. El endpoint toma una URL del usuario y la llama desde el servidor mediante fopen() sin ninguna protecci\u00f3n. No hay validaci\u00f3n de direcci\u00f3n IP, ni restricciones de lista de permitidos, tiempo de espera ni tama\u00f1o. Gracias a esto, los atacantes pueden apuntar la aplicaci\u00f3n a objetivos internos. Con esta falla, un atacante puede realizar escaneos de puertos internos o recuperar metadatos confidenciales de la nube. La versi\u00f3n 6.6.13 incluye un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":3.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53018\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-27T13:58:53.801963Z\"}}}], \"references\": [{\"url\": \"https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-27T13:58:49.549Z\"}}], \"cna\": {\"title\": \"Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs\", \"source\": {\"advisory\": \"GHSA-cpgw-wgf3-xc6v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"LycheeOrg\", \"product\": \"Lychee\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.6.13\"}]}], \"references\": [{\"url\": \"https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v\", \"name\": \"https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d\", \"name\": \"https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application\\u2019s backend to make HTTP requests to any URL they choose. Consequently, internal network resources\\u2014such as localhost services or cloud-provider metadata endpoints\\u2014become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-27T13:00:14.086Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-53018\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-27T13:58:56.661Z\", \"dateReserved\": \"2025-06-24T03:50:36.796Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-27T13:00:14.086Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…