fkie_cve-2025-53018
Vulnerability from fkie_nvd
Published
2025-06-27 13:15
Modified
2025-06-30 18:38
Severity ?
3.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
Summary
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose. Consequently, internal network resources—such as localhost services or cloud-provider metadata endpoints—become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue.
References
security-advisories@github.comhttps://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d
security-advisories@github.comhttps://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application\u2019s backend to make HTTP requests to any URL they choose. Consequently, internal network resources\u2014such as localhost services or cloud-provider metadata endpoints\u2014become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "Lychee es una herramienta gratuita y de c\u00f3digo abierto para la gesti\u00f3n de fotos. Antes de la versi\u00f3n 6.6.13, exist\u00eda una vulnerabilidad cr\u00edtica de Server-Side Request Forgery (SSRF) en el endpoint `/api/v2/Photo::fromUrl`. Esta falla permite a un atacante indicar al backend de la aplicaci\u00f3n que realice solicitudes HTTP a cualquier URL. En consecuencia, se puede acceder a recursos internos de la red, como servicios de host local o endpoints de metadatos de proveedores de la nube. El endpoint toma una URL del usuario y la llama desde el servidor mediante fopen() sin ninguna protecci\u00f3n. No hay validaci\u00f3n de direcci\u00f3n IP, ni restricciones de lista de permitidos, tiempo de espera ni tama\u00f1o. Gracias a esto, los atacantes pueden apuntar la aplicaci\u00f3n a objetivos internos. Con esta falla, un atacante puede realizar escaneos de puertos internos o recuperar metadatos confidenciales de la nube. La versi\u00f3n 6.6.13 incluye un parche para este problema."
    }
  ],
  "id": "CVE-2025-53018",
  "lastModified": "2025-06-30T18:38:48.477",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.0,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-27T13:15:24.803",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.