Lichess Server-Side Request Forgery Vulnerability in Game Export API

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Lichess game export API, prior to the patch on June 2, 2025. The vulnerability allows remote attackers to manipulate the 'players' parameter, which is sent directly to an internal HTTP client without proper validation. This flaw enables attackers to make the server send HTTP requests to arbitrary URLs, potentially accessing internal services or cloud metadata that could lead to credential theft.

Impact

Exploitation of this vulnerability could allow attackers to access internal cloud metadata services, such as AWS or GCP, to steal credentials and configuration information. Additionally, it could be used to scan internal networks, discover and access internal services or APIs that are not exposed to the internet, read sensitive internal data or configuration files, and perform port scanning of internal infrastructure.

Reproduction

The vulnerability can be reproduced by sending a request to the game export API endpoints with a crafted 'players' parameter that includes a URL. The server will then make an HTTP request to the specified URL, demonstrating the SSRF vulnerability. This issue can also be tested on self-hosted Lichess servers that use the same codebase.

Remediation

The vulnerability has been addressed by removing the game export feature entirely. For those using self-hosted Lichess servers, it is recommended to apply the same removal of the feature or implement proper URL validation and authentication requirements for the affected API endpoints.